Aqua Security’s Trivy vulnerability scanner fell victim to a supply chain attack beginning in late February, causing significant concern within the cybersecurity community. The attack was officially confirmed on March 1 when Trivy’s GitHub repository was discovered to have been compromised due to a GitHub Actions workflow issue. This incident led to the deletion of some releases and the introduction of malicious versions of its VS Code extensions to the Open VSIX marketplace.
Details of the GitHub Repository Compromise
The breach was part of a broader automated campaign targeting multiple open source repositories through GitHub Actions workflows. This resulted in the injection of harmful natural-language prompts into two corrupt versions of Trivy’s VS Code extension. The attackers exploited credentials exfiltrated during the initial breach to orchestrate a subsequent supply chain attack affecting not only the Trivy package but also trivy-action and setup-trivy, as confirmed in a March 21 advisory.
According to Trivy’s maintainers, although credentials were rotated following the initial disclosure, not all were revoked simultaneously, allowing attackers to leverage a valid token to extract newly rotated secrets during a brief window. This enabled them to distribute a malicious Trivy release (version v0.69.4) through standard channels such as GitHub Container Registry, Amazon ECR Public, and Docker Hub.
Impact and Technical Analysis of the Attack
The attackers further manipulated 76 out of 77 trivy-action version tags, pushing them to malicious commits that included an information stealer designed to dump the Runner.Worker process memory and extract all secrets. The sophisticated malware encrypted the harvested data, transmitting it to a remote server. In cases of exfiltration failure, the malware created a public GitHub repository to upload the data.
Moreover, they targeted the setup-trivy releases by force-pushing all tags to malicious commits, utilizing the same infostealer. Technical insights into the attack and malware were provided by security firms Socket and Wiz. Despite these challenges, Aqua Security ensured that its commercial products using Trivy remained unaffected due to a controlled integration process that lags behind the open source version.
Response and Future Outlook
Aqua Security noted ongoing and evolving threats, with unauthorized changes and repository tampering detected as recently as March 22. They continue to focus on identifying and securing all potential access paths. In response, Trivy’s maintainers released clean versions of Trivy and its associated tools, urging users to rotate all credentials if compromised versions were used in their environments.
The attack has been linked to the threat actor TeamPCP, which has expanded its operations by targeting the NPM ecosystem with CanisterWorm malware. The group is known for financial motivations, emerging in late 2025, and targeting cloud-native infrastructures. This incident highlights the growing importance of securing the software supply chain to prevent similar attacks in the future.
