Aqua Security has revealed a complex supply chain attack that put its popular open-source Trivy vulnerability scanner at risk, showing that modern CI/CD pipelines are very dangerous This article explores aquasecurity trivy. . The event didn't affect Aqua's business products, but it shows how attackers can use trusted development workflows to steal private information without anyone knowing.

Attack Overview: The people who attacked did not send out a separate malicious binary. Instead, they used stolen GitHub credentials to change existing repositories, like aquasecurity/trivy-action and setup-trivy. By force-pushing bad commits to existing version tags, they made sure that automated pipelines pulled bad code without knowing it. This method worked very well because a lot of companies use version tags (like v0.x) instead of immutable commit hashes in their CI/CD workflows.

So, the changed code was automatically downloaded by the pipelines without raising any red flags. The payload that was injected ran before Trivy's real scanning process started. This let workflows finish without a hitch, hiding the attack and letting data be stolen without anyone knowing.

The malware went after high-value secrets, such as: Cloud login information (AWS, GCP, Azure) Tokens and keys for APIs SSH keys that are private Tokens for Kubernetes service accounts Files for configuring Docker This level of access could allow lateral movement, privilege escalation, and full environment compromise because CI/CD pipelines often have wide access to infrastructure. Time and Persistence The first compromise happened in late February 2026. Aqua found that attackers could still get in because credential rotation wasn't finished on March 1. More suspicious activity on March 22 suggests attempts to reestablish persistence, which means this is a multi-stage operation.

Aqua has since canceled all compromised credentials, gotten rid of harmful files, and stopped using long-lived tokens. The company also hired Sygnia, a company that specializes in incident response, to help with forensic investigation and containment. Because of strict architectural separation, Aqua confirmed that its commercial platform was not affected.

The commercial build system is different from the open-source pipeline in that Works outside of GitHub Uses separate infrastructure and dedicated pipelines Enforces strict rules about who can get in Needs security reviews with gates This separation kept the bad code from getting to business customers.

Fixing and Reducing Damage If your company uses Trivy in automated workflows, you need to act right away: Update the Trivy binary to version 0.69.2 or 0.69.3. Use GitHub safely Versions of Action: trivy-action v0.35.0 or setup-trivy v0.2.6 If version 0.69.4 was run in any pipeline, change all of the secrets. If affected versions were used, security teams should assume that credentials were exposed.

Defenders should keep an eye on and block the following signs: Scan.aquasecurtiy[. ]org is the domain. IP Address: 45.148.10.212 Secondary C2: plug-tab-protective-relay.trycloudflare.com GitHub repo: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io is an unauthorized creation of tpcp-docs ICP-based C2. These signs point to either active data exfiltration or an attacker who won't give up.

This event shows a major flaw in software supply chains: they depend on version tags that can change. Attackers took advantage of this trust model without adding new files or obvious signs.

A simple defensive fix, like tying dependencies to immutable commit SHA hashes, could have stopped the attack completely. For instance, using a specific commit makes sure that pipelines won't run code that isn't authorized, even if a tag is changed. As CI/CD pipelines become more valuable, companies need to treat them like sensitive infrastructure by using strict access control, monitoring, and dependency integrity validation.

Make ZeroOwl your favorite source in Google.