Trivy GitHub Actions Compromised: 75 Tags Hijacked to Steal CI/CD Secrets
These articles are AI-generated summaries. Please check the original sources for full details.
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
Aqua Security’s Trivy vulnerability scanner suffered a second supply chain compromise in one month via its GitHub Actions repositories. Attackers force-pushed 75 malicious version tags to the “aquasecurity/trivy-action” repository to distribute a credential-stealing payload.
Why This Matters
The incident highlights the technical vulnerability of relying on mutable Git tags for supply chain security. While engineers often treat version tags as stable pointers, they can be force-pushed by any entity with write access, effectively turning trusted version references into distribution channels for malware. This breach demonstrates that the failure to atomically rotate all secrets and tokens after an initial compromise allows attackers to maintain persistence, rendering partial containment efforts ineffective against sophisticated threat actors like TeamPCP.
Key Insights
- Attackers force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository to serve a malicious infostealer payload (Socket, 2026).
- The malicious payload targets CI/CD secrets including SSH keys, cloud provider credentials, Kubernetes tokens, and Solana validator key pairs.
- Data exfiltration utilizes a primary endpoint at scan.aquasecurtiy[.]org, with a fallback mechanism that stages stolen data in public GitHub repositories named ‘tpcp-docs’.
- Persistence is achieved on developer machines via a systemd service running a Python script named ‘sysmon.py’ that polls an external server for payloads (Wiz, 2026).
- The breach is linked to the ‘hackerbot-claw’ incident from February 2026, where incomplete containment allowed attackers to intercept refreshed tokens.
Practical Applications
- Pin GitHub Actions to full commit SHA hashes rather than version tags to prevent tag-poisoning attacks.
- Implement atomic secret rotation and session revocation across all CI/CD environments immediately following a detected breach.
- Configure network-level blocking for the exfiltration domain scan.aquasecurtiy[.]org and IP 45.148.10[.]212.
References:
Continue reading
Next article
Securing .NET APIs: Preventing Information Disclosure via Exception Handling
Related Content
Clinejection: How Prompt Injection Compromised AI Coding Tools for 4,000 Developers
The Clinejection attack turned Cline's GitHub Actions bot into a weapon, installing rogue agents on 4,000 developer machines via malicious npm updates in February 2026.
Vuls vs Trivy vs Grype: Choosing the Right CVE Scanner for Your Workflow
Evaluate Vuls, Trivy, and Grype based on infrastructure shape, from air-gapped VPS fleets to container-heavy CI/CD pipelines.
LiteLLM Supply Chain Attack: How Unpinned Dependencies Compromised 3.4M Daily Downloads
On March 24, 2026, LiteLLM (3.4M daily downloads) was backdoored via PyPI. Attackers harvested cloud credentials, SSH keys, and Kubernetes tokens via a poisoned build.