Hackers have compromised nearly all versions of Aqua Security’s Trivy vulnerability scanner in a widespread supply-chain attack. The breach, confirmed by maintainer Itay Shakury, began Thursday morning and involved forced pushes to manipulate critical GitHub tags.
The attack injected malicious dependencies into 75 trivy-action tags and seven setup-trivy tags. Malware activated during scans extracts secrets-GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens-from development environments and exfiltrates them to attacker-controlled servers.
Affected versions include @0.34.2, @0.33, and @0.18.0. Only @0.35.0 remains uncompromised. Developers are advised to assume all pipeline secrets are exposed and rotate them immediately.
This incident threatens software integrity across industries relying on automated deployment workflows.