Trivy supply-chain compromise
A supply-chain attack hit Trivy’s GitHub Action tags, force-pushing 75 tags and deploying an infostealer that stole SSH keys, cloud creds and Kubernetes tokens from over 10,000 workflows—Socket Security urged pinning to v0.35.0 or SHAs after the second compromise this month. The incident directly impacts container and CI/CD scanning chains used across defense pipelines and demands immediate secret audits and rotations. (x.com)
The project’s security advisory confirms a poisoned Trivy release labeled v0.69.4 was published and that the safe fallback is v0.69.3. (github.com) The malicious Trivy release was pushed into multiple distribution channels including GitHub Container Registry (GHCR), Docker Hub, Amazon ECR Public, Debian/RPM packages, and get.trivy.dev. (github.com) GitHub’s timeline shows distinct exposure windows: the poisoned Trivy binary was present ~March 19, 18:22–~21:42 UTC (≈3 hours), the Trivy GitHub Action tags were tampered ~March 19, 17:43–March 20, ~05:40 UTC (≈12 hours), and setup-trivy was affected for ~4 hours on March 19. (github.com) Technical analysis indicates the attacker pushed an imposter commit (70379aad) that replaced actions/checkout, added a goreleaser flag (--skip=validate) to bypass binary validation, and loaded malicious Go sources from a typosquatted domain. (github.com) (snyk.io) Multiple research teams attribute the operation to the actor tracked as TeamPCP and report the incident resurrected credentials obtained in an earlier March compromise and abused the aqua-bot service account. (labs.boostsecurity.io) (thehackernews.com) GitHub notes that the original tags deleted during remediation cannot be re-created with the same names, while setup-trivy tags were safely re-created at v0.2.6; incident write-ups urge pinning installer commits to immutable SHAs and treating historical release rebuilds as non-trivial. (github.com) (socket.dev)
