Trivy Security Scanner’s GitHub Actions Compromised Again, Exposing CI/CD Secrets
In a concerning development for the software development community, Trivy, a widely-used open-source vulnerability scanner developed by Aqua Security, has suffered its second security breach within a month. This latest incident has led to the compromise of GitHub Actions associated with Trivy, resulting in the unauthorized access and potential theft of sensitive Continuous Integration and Continuous Deployment (CI/CD) secrets.
Details of the Breach
The breach specifically targeted two GitHub Actions: `aquasecurity/trivy-action` and `aquasecurity/setup-trivy`. These actions are integral to developers who utilize Trivy for scanning Docker container images for vulnerabilities and for setting up specific versions of the scanner within their GitHub workflows.
Security researcher Philipp Burckhardt from Socket reported that an attacker force-pushed 75 out of 76 version tags in the `aquasecurity/trivy-action` repository. These tags were altered to deliver a malicious payload, effectively transforming trusted version references into a distribution mechanism for an infostealer. This payload, when executed within GitHub Actions runners, was designed to extract valuable developer secrets from CI/CD environments. The compromised data includes SSH keys, credentials for cloud service providers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
Context and Previous Incidents
This breach follows closely on the heels of a previous incident involving Trivy. In late February and early March 2026, an autonomous bot named hackerbot-claw exploited a `pull_request_target` workflow to steal a Personal Access Token (PAT). This token was then used to gain control of the Trivy GitHub repository, leading to the deletion of several release versions and the publication of two malicious versions of its Visual Studio Code (VS Code) extension to Open VSX.
The initial signs of this compromise were identified by security researcher Paul McCarty, who noticed a new compromised release (version 0.69.4) published to the `aquasecurity/trivy` GitHub repository. This rogue version has since been removed. According to security firm Wiz, version 0.69.4 initiated both the legitimate Trivy service and malicious code responsible for several tasks:
– Data Theft: The malicious code scanned the system for environmental variables and credentials, encrypted the data, and exfiltrated it via an HTTP POST request to a malicious domain.
– Persistence Mechanism: The code established persistence by using a systemd service after confirming it was running on a developer machine. This service was configured to run a Python script (`sysmon.py`) that polled an external server to retrieve and execute additional payloads.
Response from Aqua Security
Itay Shakury, Vice President of Open Source at Aqua Security, acknowledged that attackers exploited a compromised credential to publish malicious versions of Trivy, `trivy-action`, and `setup-trivy`. In the case of `aquasecurity/trivy-action`, the adversary force-pushed 75 version tags to point to malicious commits containing the Python infostealer payload. This was done without creating a new release or pushing to a branch, deviating from standard practices. Similarly, seven `aquasecurity/setup-trivy` tags were force-pushed in the same manner.
Burckhardt noted that the attacker possessed valid credentials with sufficient privileges to push code and rewrite tags, enabling the observed tag poisoning. The exact credential used in this specific step remains unclear, but the root cause has been identified as credential compromise carried over from the earlier hackerbot-claw incident.
Implications for the Developer Community
This series of breaches underscores the critical importance of securing CI/CD pipelines and the tools integrated within them. GitHub Actions, being a popular choice for automating software workflows, have become attractive targets for attackers aiming to infiltrate development environments and exfiltrate sensitive information.
The incidents involving Trivy highlight several key vulnerabilities:
1. Credential Management: The compromise of Personal Access Tokens (PATs) and other credentials can lead to unauthorized access and control over repositories.
2. Supply Chain Attacks: By injecting malicious code into widely-used tools and libraries, attackers can propagate malware across numerous projects and organizations.
3. Persistence Mechanisms: The use of system services and scripts to maintain a foothold in compromised systems allows attackers to execute additional payloads and exfiltrate data over extended periods.
Recommendations for Mitigation
To safeguard against similar attacks, developers and organizations should consider implementing the following measures:
– Regular Credential Rotation: Periodically update and rotate access tokens, passwords, and other credentials to minimize the risk of unauthorized access.
– Least Privilege Principle: Assign the minimum necessary permissions to users and tokens to perform their tasks, reducing the potential impact of a compromised credential.
– Monitor for Anomalies: Implement monitoring tools to detect unusual activities, such as unexpected tag changes or unauthorized commits, which may indicate a security breach.
– Secure CI/CD Pipelines: Review and harden CI/CD workflows to prevent unauthorized code execution and ensure that only trusted actions and dependencies are used.
– Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate the effects of security breaches.
Conclusion
The repeated compromises of Trivy’s GitHub Actions serve as a stark reminder of the evolving threats facing the software development ecosystem. As attackers continue to target CI/CD pipelines and associated tools, it is imperative for developers and organizations to adopt robust security practices, continuously monitor their environments, and remain vigilant against emerging threats.
