Trivy GitHub Action Compromised: Malicious Script Injection Threatens CI/CD Pipelines
In a significant security breach disclosed in late March 2026, attackers compromised the official Trivy GitHub Action (`aquasecurity/trivy-action`), a widely used tool in continuous integration and continuous deployment (CI/CD) pipelines. This incident marks the second compromise within the Trivy ecosystem in a single month, highlighting the escalating threats to software supply chains.
Understanding the Attack Mechanism
The perpetrators executed a sophisticated tag poisoning attack by force-pushing 75 out of 76 existing version tags to distribute a custom infostealer malware. By altering existing version tags without creating new releases, they minimized the chances of detection, as automated security alerts are typically triggered by new releases or branch updates. The attackers also spoofed Git commit metadata, cloning original author names, dates, and commit messages to make the malicious commits appear legitimate. Notably, version `@0.35.0` remained untouched and is considered safe.
Malware Execution and Data Exfiltration
The injected malicious script, a 204-line `entrypoint.sh` file, executes its operations before running the legitimate Trivy scan, allowing it to operate stealthily. The infostealer operates in three stages:
1. Targeted Collection: On GitHub-hosted Linux environments, the malware uses passwordless `sudo` privileges to dump the `Runner.Worker` process memory, extracting secrets directly from the heap. On self-hosted runners, a comprehensive Python script scans the filesystem for sensitive data, including SSH keys, database credentials, CI/CD configuration files, and cryptocurrency wallet data.
2. Robust Encryption: The stolen data is compressed and encrypted using AES-256-CBC, with the encryption key wrapped using an RSA-4096 public key, ensuring the data remains secure during transmission.
3. Stealthy Exfiltration: The malware attempts to exfiltrate the encrypted data via an HTTPS POST request to a typosquatted domain, `scan[.]aquasecurtiy[.]org`. If this primary channel fails, it uses the victim’s GitHub Personal Access Token to create a public repository named `tpcp-docs` and uploads the stolen data as a release asset.
Implications for the Software Supply Chain
This attack underscores the vulnerabilities inherent in software supply chains, particularly in widely used tools like Trivy. By compromising a trusted GitHub Action, attackers can infiltrate numerous CI/CD pipelines, potentially leading to widespread credential theft and unauthorized access to sensitive information.
Recommendations for Mitigation
To protect against such threats, organizations should:
– Verify Integrity: Regularly verify the integrity of GitHub Actions and other third-party tools used in CI/CD pipelines.
– Monitor for Anomalies: Implement monitoring to detect unusual activities, such as unexpected changes to version tags or unauthorized commits.
– Limit Privileges: Restrict permissions and access rights to minimize the potential impact of a compromised component.
– Update Regularly: Ensure all tools and dependencies are up-to-date with the latest security patches.
By adopting these practices, organizations can enhance the security of their software supply chains and mitigate the risks associated with such sophisticated attacks.
