A complex supply chain attack that targets Aqua Security's Trivy, a popular open-source vulnerability scanner This article explores aqua security trivy. . A threat actor used stolen credentials to spread malicious releases, turning a trusted security tool into a way to steal a lot of credentials across CI/CD pipelines.
The investigation into the incident is still going on and changing, and attackers are still using stolen credentials to attack other systems. The breach started in late February 2026 when hackers took advantage of a mistake in Trivy's GitHub Actions environment to get a privileged access token. The Trivy team told everyone about the incident and changed the credentials on March 1, but the fix was not complete.
Type of Indicator IOC Value Recommended Action Network C2 Domain scan.aquasecurtiy[. ]org Block at the edge of the network; look for DNS query logs Firewall block on network IP address 45.148.10[. ]212; look for outbound connections Secondary C2 Tunnel plug-tab-protective-relay.trycloudflare.com Look through DNS logs for signs of lateral movement.
GitHub Exfiltration Repo tpcp-docs Look for unauthorized repository creation on GitHub org ICP Blockchain C2 tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io Stop icp0.io from leaving the network at the perimeter. Trivy v0.69.4 has been hacked. Check LinkedIn, X, and container registries and CI caches every day for the latest news on cybersecurity. Get in touch with us to have your stories featured.
