Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

2026-03-20

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Trivy, an open-source vulnerability scanner by Aqua Security, suffered a second supply chain attack where 75 GitHub Actions version tags were hijacked to deliver CI/CD secret-stealing malware.

•Attacker force-pushed 75 of 76 version tags in aquasecurity/trivy-action and setup-trivy to point to malicious commits containing a Python infostealer payload.
•The stealer harvests environment variables, SSH keys, cloud credentials, Kubernetes tokens, Docker configs, and cryptocurrency wallet keys from GitHub Actions runners.
•Exfiltration is done via HTTP POST to scan.aquasecurtiy[.]org; if blocked, stolen data is staged in a public GitHub repo named 'tpcp-docs' using the victim's own PAT.
•Root cause was incomplete credential rotation from a prior incident (hackerbot-claw), allowing attackers to reuse compromised tokens.

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture