Cybersecuritynews
Trivy Vulnerability Scanner Compromised in Supply Chain Attack
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Trivy vulnerability scanner was compromised in a supply-chain attack by TeamPCP, which injected credential-stealing malware into official releases and GitHub Actions. The breach was disclosed on March 21, 2026, and is linked to a prior incident where credentials were exfiltrated from Trivy's environment. Attackers manipulated the GitHub build process, force-pushing 75 out of 76 version tags in the trivy-action repository to redirect to malicious commits. The compromised version 0.69.4 of Trivy included backdoored binaries that acted as infostealers. The malware targets sensitive information, such as SSH keys and cloud provider credentials, and exfiltrates this data to a typosquatted command-and-control server. If exfiltration fails, the malware creates a public repository on the victim's GitHub account to upload the stolen data. Security experts recommend immediate rotation of secrets for any affected users. The attack's impact is significant due to Trivy's widespread use in CI/CD pipelines.
Key Points: • Trivy was compromised in a supply-chain attack, affecting many CI/CD workflows. • Attackers manipulated GitHub Actions, backdooring 75 out of 76 version tags. • Immediate rotation of secrets is advised for all users of the compromised versions.