Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don’t rotate their secrets immediately.
The attack, disclosed by Trivy maintainers today, results from an earlier compromise announced late last month that also leveraged insecure GitHub Actions and impacted multiple projects. Security firms Socket and Wiz traced the root cause to an incomplete credential rotation after the first breach, allowing the attackers to return to Trivy’s environment and introduce malicious commits.
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Trivy maintainer Itay Shakury wrote on GitHub.
Multiple components backdoored
Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. Developers use it to detect vulnerabilities and exposed secrets in their CI/CD pipelines and container images.
The attackers compromised three components of the Trivy project: trivy-action, the official GitHub Action for running Trivy scans in CI/CD workflows; setup-trivy, a helper action for installing the scanner; and the Trivy binary itself. Backdoored artifacts were published to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry.
According to Socket, 75 of 76 version tags in trivy-action were overwritten with malicious code, along with seven tags in setup-trivy. The only unaffected trivy-action tag was version 0.35.0. The compromised tags include widely used versions such as 0.34.2, 0.33.0, and 0.18.0.
“When the malicious binary is executed it starts both the legitimate trivy service and the malicious code in parallel,” Wiz researchers wrote in their analysis of the attack.
Attackers look for development secrets
On GitHub Actions runners, the credential stealer reads the process memory to extract secrets and searches the filesystem for SSH keys, cloud provider credentials, Kubernetes tokens, Docker registry configurations, and cryptocurrency wallets.
The stolen data is encrypted and sent to a typosquatted domain that mimics Aqua Security’s legitimate site. If this fails, the malware falls back to creating a public repository called “tpcp-docs” on the victim’s own GitHub account and uploading the encrypted data there.
According to Wiz, the attack also installs a persistent Python dropper on developer machines that connects to an attacker-controlled server every five minutes in search for additional payloads to execute.
Stealthy tag manipulation technique bypasses detection
Instead of creating new releases, which would trigger notifications, the attackers force-pushed existing version tags to point to new malicious commits. Git tags are pointers that reference a specific commit by its fingerprint. By overwriting where those pointers lead, any workflow referencing the tag begins pulling the attacker’s code.
To further avoid detection, the attackers cloned the original commit metadata such as author names, email addresses, timestamps, and messages, making the malicious commits appear identical to the legitimate ones they replaced. The forgery left subtle traces such as missing cryptographic signatures and inconsistent timestamp relationships.
The same tag manipulation technique was used in the compromise of the tj-actions/changed-files GitHub Action a year ago which affected 23,000 repositories.
A lesson for victims
The initial Trivy compromise happened in late February when attackers exploited a misconfigured GitHub Actions workflow that had been present in the repository since October 2025. The workflow, triggered by external pull requests, ran with access to repository secrets, a dangerous pattern in GitHub Actions that has been documented before.
The attackers stole a personal access token (PAT) with write permissions and used it to delete releases, rename the repository, and publish a malicious Visual Studio Code extension. The Trivy maintainers rotated their credentials, but it seems the process missed some of them.
This failure, especially by a company that is specialized in CI/CD security, should serve as a warning to organizations affected by this new attack, especially because the malware is designed to steal the same type of credentials that could enable supply chain compromises in their own pipelines.
A recurring pattern
The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. The tj-actions/changed-files compromise last year used the same tag manipulation approach and was later traced to an upstream compromise of the reviewdog/action-setup action. Other incidents in 2025 included the GhostAction campaign, which stole over 3,000 secrets from 327 GitHub users, and an attack on the nx npm package that exploited a vulnerable pull_request_target workflow.
GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation, but the vulnerable workflow in the Trivy repository predated that change.
Organizations using Trivy should pin GitHub Actions to the full commit SHA hashes rather than version tags to prevent tag manipulation attacks. The safe versions are Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6. Security teams should also search their GitHub accounts for repositories named tpcp-docs, which would indicate successful fallback exfiltration, and block the command-and-control domain and its IP address at the network perimeter.
No Responses