Aqua Security’s Trivy Scanner Breach: A Supply Chain Attack Exposes CI/CD Credentials
In a significant supply chain attack, Aqua Security’s widely utilized open-source vulnerability scanner, Trivy, was compromised, leading to the distribution of malicious releases. This breach transformed a trusted security tool into a conduit for extensive credential theft within Continuous Integration and Continuous Deployment (CI/CD) pipelines. The incident underscores the escalating sophistication of cyber threats targeting the software supply chain.
Initial Breach and Exploitation
The attack commenced in late February 2026 when threat actors exploited a misconfiguration within Trivy’s GitHub Actions environment. This vulnerability allowed them to extract a privileged access token, granting unauthorized access to the repository. Despite Aqua Security’s disclosure of the incident and subsequent credential rotation on March 1, the remediation was incomplete. Residual access persisted due to still-valid credentials, enabling the adversary to maintain a foothold within the system.
Escalation and Malicious Deployment
On March 19, the attackers escalated their activities by force-pushing malicious commits to 76 of 77 version tags in the `aquasecurity/trivy-action` repository and all seven tags in `aquasecurity/setup-trivy`. Concurrently, a compromised service account triggered automated release pipelines, resulting in the publication of a backdoored Trivy binary labeled as version 0.69.4. Rather than introducing a conspicuously malicious new version, the attackers altered existing version tags. This strategy allowed them to silently inject malicious code into workflows that organizations were already executing, thereby increasing the likelihood of widespread adoption without immediate detection.
Mechanism of the Malicious Payload
The injected malicious payload was ingeniously designed to execute prior to Trivy’s legitimate scanning logic. This sequencing ensured that compromised workflows appeared to complete normally, thereby evading immediate suspicion. During its covert execution, the malware actively harvested sensitive information from CI/CD environments. The targeted data included:
– API tokens
– Cloud provider credentials for AWS, Google Cloud Platform (GCP), and Azure
– SSH keys
– Kubernetes tokens
– Docker configuration files
This exfiltrated data was then transmitted to infrastructure controlled by the attackers, potentially facilitating further unauthorized access and exploitation.
Targeted User Base and Impact
The attack specifically targeted open-source users who relied on mutable version tags rather than pinned commit hashes. This approach exploited the common practice among developers of referencing version tags for updates, thereby increasing the reach and impact of the malicious code. Aqua Security has confirmed that its commercial products remain unaffected by this breach. The commercial platform is architecturally isolated from the compromised open-source environment, featuring dedicated pipelines, stringent access controls, and a controlled integration process that lags behind open-source releases to ensure stability and security.
Response and Remediation Efforts
In response to the breach, Aqua Security initiated a series of remediation actions:
1. Removal of Malicious Releases: All compromised releases were expunged from distribution channels, including GitHub Releases, Docker Hub, and Amazon Elastic Container Registry (ECR).
2. Credential Revocation: A comprehensive revocation of credentials across all environments was conducted. The team transitioned away from long-lived tokens to enhance security.
3. Implementation of Immutable Release Verification: To prevent future tampering, immutable release verification processes were established.
4. Deletion or Repointing of Compromised Version Tags: All affected version tags were either deleted or redirected to known-safe, verified commits.
These measures aim to restore the integrity of Trivy and prevent similar incidents in the future.
Community Collaboration and Ongoing Investigation
Aqua Security emphasized the critical role of the broader security community in mitigating the fallout from this attack. Research teams at Aikido Security and CrowdStrike were specifically acknowledged for their rapid technical publications, which accelerated community awareness and response efforts. Given that Trivy is an open-source project without a centralized record of its user base, this collaborative ecosystem response was essential in notifying downstream users of the active threat.
The investigation into the breach is ongoing, with indications that attackers are actively attempting to reestablish access. Over the weekend of March 21-22, additional suspicious activity consistent with the threat actor’s tactics was detected, suggesting a persistent and evolving campaign.
Recommendations for Users
Security teams are urged to take immediate action:
– Audit Environments: Identify and remove any instances of the compromised Trivy version.
– Update to Safe Releases: Ensure that all Trivy installations are updated to known-safe versions.
– Rotate Exposed Secrets: Treat all secrets accessible to affected runner environments as compromised and execute immediate rotation.
By implementing these measures, organizations can mitigate the risks associated with this supply chain attack and bolster their defenses against future threats.
