## Aqua Security Trivy Supply Chain Attack: Malicious Releases & Tags Force-Pushed via Compromised Credentials A sophisticated supply chain attack has compromised the core release infrastructure of Aqua Security's Trivy, a widely used open-source vulnerability scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release and executed a destructive force-push operation, overwriting 76 of the 77 version tags in the `aquasecurity/trivy-action` GitHub repository with credential-stealing malware. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced with malicious commits. The attack escalated three days later when the same actor used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub. The attack vector exploited compromised credentials, granting the threat actor direct publishing rights to official release channels. This allowed them to inject malware directly into the software supply chain, targeting the GitHub Actions (`trivy-action`) and Docker container ecosystems that thousands of development pipelines rely on for security scanning. The force-pushing of version tags is a particularly aggressive tactic, as it can silently overwrite previously trusted releases, making it difficult for users to detect the compromise without specific integrity checks. The exposure window for the initial malicious `trivy v0.69.4` release began on March 19, 2026, at 18:22 UTC. Any organization or developer that pulled the `aquasecurity/trivy-action` or `aquasecurity/setup-trivy` repositories, or the corresponding Docker images, during the active compromise period may have executed credential-stealing malware within their CI/CD environments. This incident underscores the critical risk posed by compromised maintainer credentials in major open-source security tools and signals intense scrutiny on the release integrity processes of foundational DevOps security software. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: supply-chain-attack, open-source-security, github-actions, docker, ci-cd - **Credibility**: unverified - **Published**: 2026-04-17 02:22:34 - **ID**: 68550 - **URL**: https://whisperx.ai/en/intel/68550