Your Vulnerability Scanner Was Stealing Your Secrets: The Trivy Supply Chain Attack

CybrPulse

CybrPulse

3 min read
Your Vulnerability Scanner Was Stealing Your Secrets: The Trivy Supply Chain Attack

If you run Trivy in your CI/CD pipelines — and at this point, a huge slice of the industry does — you need to stop what you're doing and check your version.

Aqua Security confirmed this week that threat actors successfully compromised the open-source Trivy vulnerability scanner's GitHub Actions distribution. The result: any pipeline that pulled Trivy by version tag instead of a pinned commit hash silently handed over its secrets while appearing to complete normally.

What Actually Happened

This wasn't a single breach event. The timeline matters.

In late February 2026, attackers obtained stolen credentials and gained initial access to Aqua's open-source repositories. On March 1, Aqua performed a credential rotation — but it was incomplete. The threat actors kept their foothold.

Then on March 22, suspicious activity was detected again. The attackers were re-establishing access. By the time Trivy version 0.69.4 was out in the wild, the malicious payload was already embedded in the `aquasecurity/trivy-action` and `setup-trivy` GitHub Actions repositories.

The attack vector was mutable version tags. The attackers used stolen credentials to force-push malicious commits to existing version tags. If your pipeline said `uses: aquasecurity/trivy-action@v0.19.0`, you weren't pulling an immutable artifact — you were pulling whatever that tag pointed to at runtime. After the force-push, that was the malicious build.

What the Payload Did

The malicious code executed before the legitimate Trivy scanning logic ran. Your security scan completed. Your pipeline went green. Meanwhile, in the background, the attacker had everything.

The payload targeted:

  • AWS, GCP, and Azure credential files
  • SSH private keys
  • Kubernetes service account tokens and kubeconfig files
  • Docker configuration files (including registry credentials)
  • GitHub tokens from the Actions environment

Exfiltration went to `scan.aquasecurtiy[.]org` (typosquatted — note the reversed letters in "security"), with a secondary tunnel at `plug-tab-protective-relay.trycloudflare.com`. For persistence that survives domain takedowns, the attackers used ICP blockchain infrastructure: `tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io`. That last one is particularly nasty — you can't get it taken down through standard channels.

Aqua has since engaged Sygnia for forensics, revoked all long-lived credentials, and removed the malicious artifacts.

This Was Connected to the LiteLLM Attack

Trivy didn't fail alone. CybrPulse tracked a parallel supply chain compromise hitting LiteLLM — a Python package with 95 million monthly downloads that proxies requests to 100+ LLM providers. The attack exploited LiteLLM's unpinned Trivy dependency to inject malware directly into PyPI packages 1.82.7 and 1.82.8.

Researchers who detonated the malicious package on a honeypot EC2 instance documented what happened: credential theft completed in under 2 seconds. A fork bomb crashed the system in 38 seconds. The malware queried IMDS, attempted to dump AWS Secrets Manager, and established systemd backdoors that survive `pip uninstall`.

The threat actor group, identified as TeamPCP, combined SHA pinning's blind spot (malicious commits from GitHub forks are still resolvable by SHA), a typosquatted C2 domain, and a compromised maintainer account. It's a sophisticated multi-stage operation, not an opportunistic grab.

What to Do Right Now

If you use open-source Trivy:

  • Update the binary to 0.69.2 or 0.69.3 immediately
  • Pin GitHub Actions to `trivy-action@v0.35.0` or `setup-trivy@v0.2.6`
  • If any pipeline ran the v0.69.4 components: assume every secret that environment could access is compromised, rotate everything

Hunt for these IOCs:

  • DNS queries to `scan.aquasecurtiy[.]org` (typosquatted)
  • Outbound connections to `45.148.10.212`
  • DNS lookups for `plug-tab-protective-relay.trycloudflare.com`
  • Unauthorized GitHub repository creation named `tpcp-docs` in your organization

Fix your pipeline architecture:

Stop using mutable version tags for security-critical tooling. Pin to full commit SHA hashes. A version tag is a pointer — anyone who controls the repository can move it. A commit SHA is immutable.

The Broader Problem

This attack pattern isn't new, but the target selection is getting smarter. Compromising a vulnerability scanner is a force multiplier — the tool has legitimate reasons to exist in pipelines, runs with elevated permissions, and is explicitly trusted to touch sensitive environments.

Aqua's commercial platform was isolated and unaffected. That architectural separation — independent build systems, dedicated pipelines, no shared credentials with the open-source environment — is what contained the blast radius for paying customers.

For everyone running the open-source tooling in production pipelines without that separation: this is the risk model you're operating under. Act accordingly.

Read more