## Supply Chain Breach: Malicious Trivy v0.69.4 Release & 76+ GitHub Tags Hijacked via Compromised Credentials
A critical software supply chain attack has compromised the core security tools used by millions of developers. On March 19, 2026, a threat actor used stolen credentials to publish a malicious version of the popular vulnerability scanner Trivy (v0.69.4) and systematically hijacked 76 out of 77 version tags in the official `aquasecurity/trivy-action` GitHub repository, replacing them with credential-stealing malware. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were also swapped with malicious commits. This attack directly targeted the integrity of a foundational security tool, turning it into a vector for compromise.

The attack was not isolated. Three days later, on March 22, the same or a related actor again used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub, expanding the attack surface. The exposure window for the initial malicious `trivy v0.69.4` release began on March 19, 2026, at 18:22 UTC. This multi-pronged assault demonstrates a sophisticated understanding of CI/CD pipelines and dependency management, where automated updates to tools like `trivy-action` are common.

The implications are severe for any organization that automatically updates or has recently pulled these specific versions. The breach transforms a trusted security scanning step into a potential entry point, risking the theft of CI/CD secrets, source code, and cloud credentials. It represents a textbook software supply chain attack, exploiting the trust in maintainer credentials and automated workflows. This incident will force a widespread review of dependency pinning strategies and credential security for major open-source projects.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain-attack, github-security, trivy, ci-cd, malware
- **Credibility**: unverified
- **Published**: 2026-04-16 19:22:56
- **ID**: 68061
- **URL**: https://whisperx.ai/en/intel/68061