Trivy breach hits 1,000+ SaaS

Trivy is a security scanner developers plug into build pipelines to check code and container images before release. On March 19, Aqua Security said attackers turned that scanner into a delivery path for malware. (trivy.dev) (github.com) Aqua said the attackers used a compromised credential to publish malicious releases of the core `trivy` binary, `trivy-action`, and `setup-trivy`. The company tied that March 19 activity to an earlier March 1 incident in which credentials were exfiltrated and containment was incomplete. (github.com) (aquasec.com) Microsoft said the attackers force-pushed 76 of 77 version tags in `aquasecurity/trivy-action` and all seven tags in `aquasecurity/setup-trivy`. CrowdStrike said the poisoned tags let attacker code run first while the legitimate scanner still completed, so many workflows looked normal. (microsoft.com) (crowdstrike.com) That matters because GitHub Actions runners often hold cloud keys, deploy tokens, and other secrets needed to ship software. CrowdStrike said those runners commonly have access to repository code, configured secrets, and internal networks. (crowdstrike.com) Aqua said the malicious `trivy` v0.69.4 release was available across GitHub Container Registry, Amazon Elastic Container Registry Public, Docker Hub, deb, rpm, and `get.trivy.dev` for about three hours on March 19. It also said malicious Docker Hub images `v0.69.5` and `v0.69.6` were later pushed on March 22 and exposed users for about 10 hours. (github.com) The immediate advice from Aqua was blunt: treat pipeline secrets as compromised and rotate them. The company told users to move to safe versions including `trivy` v0.69.3, `trivy-action` v0.35.0, and `setup-trivy` v0.2.6, or use commit-SHA-pinned references. (github.com) The campaign did not stop at Trivy. Microsoft said the same operators expanded to Checkmarx KICS on March 23 and LiteLLM on March 24, while targeting Amazon Web Services Identity and Access Management keys, Google Cloud service-account keys, Azure environment variables, Kubernetes secrets, and database credentials. (microsoft.com) Wiz said LiteLLM was reached with credentials stolen during the Trivy breach. Socket separately said a self-replicating npm worm it calls CanisterWorm used stolen npm publish tokens from the same campaign to backdoor more than 29 packages. (wiz.io) (socket.dev) By late March, Mandiant Consulting CTO Charles Carmakal said more than 1,000 SaaS environments were actively dealing with the fallout. He said that total could rise by another 500, another 1,000, or even 10,000 as downstream victims uncover stolen access and follow-on compromises. (cyberscoop.com) (theregister.com) Aqua said it found no indication that its commercial products were affected because those systems are built and operated separately from the compromised open-source environment. The open-source side, though, showed how one trusted scanner in a build pipeline could become a quiet credential thief across thousands of software environments. (aquasec.com)