Trivy Supply Chain Attack Exposes CI/CD Secrets in Second Breach Within Weeks

A widely used open source security tool at the center of modern software pipelines has been compromised again, raising new concerns about how attackers are targeting the software supply chain to access sensitive developer infrastructure.

Trivy, the vulnerability scanner maintained by Aqua Security, was recently exploited to distribute malware through its official GitHub Actions integrations. The incident marks the second breach involving the project in less than a month, signaling a persistent and evolving threat against CI/CD ecosystems.

Security researchers discovered that attackers tampered with trusted version tags in the repositories powering Trivy’s GitHub Actions. These integrations are commonly used by developers to scan container images and automate security checks during software builds. By manipulating version references, the attackers turned a routine dependency into a covert delivery channel for an infostealer.

"We identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI/CD pipelines," said Socket researcher Philipp Burckhardt. "These tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer."

Once executed inside GitHub Actions runners, the malware targeted high-value secrets embedded in development environments. These included SSH keys, cloud credentials, Kubernetes tokens, Docker configurations, database access strings, and even cryptocurrency wallets. The payload systematically collected environment variables and configuration files, encrypted the data, and transmitted it to attacker-controlled infrastructure.

Researchers say the compromise was not the result of a flaw in GitHub itself, but rather the abuse of legitimate credentials. With sufficient access, the attacker was able to rewrite version tags without triggering traditional release workflows.

"So in this case, the attacker didn't need to exploit Git itself," Burckhardt explained. "They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed."

The breach appears to be linked to an earlier incident involving an automated attack tool that harvested access tokens from Trivy’s development workflows. That prior compromise allowed attackers to gain control of parts of the repository and publish malicious artifacts. According to Aqua Security, incomplete containment of that incident may have enabled this second wave.

"We rotated secrets and tokens, but the process wasn't atomic, and attackers may have been privy to refreshed tokens," said Itay Shakury, vice president of open source at Aqua Security. "We are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem."

The malware operates in multiple stages, beginning with harvesting sensitive data from memory and the file system. It then encrypts the information and attempts to exfiltrate it to a remote server. If that process fails, the attacker leverages compromised GitHub credentials to store the stolen data in public repositories, creating a fallback channel that blends into normal developer activity.

There are indications that the threat actor may be tied to a cloud-focused cybercrime group known for targeting modern infrastructure and monetizing stolen credentials. However, attribution remains uncertain, and researchers caution that some signals could be intentionally misleading.

The impact of the breach may extend beyond Trivy itself. Early findings suggest that stolen credentials have already been used to tamper with downstream software packages, including npm libraries that were modified to include self-propagating malicious code.

Security experts say the incident underscores a growing shift in attacker strategy. Rather than exploiting individual applications, adversaries are increasingly targeting the tools and automation pipelines that developers trust implicitly.

To reduce exposure, organizations are being urged to move away from version tags and instead pin dependencies to immutable commit hashes. They are also advised to immediately rotate any secrets that may have been exposed and monitor for unusual activity across cloud and development environments.

"Pin GitHub Actions to full SHA hashes, not version tags," said Wiz researcher Rami McCarthy. "Version tags can be moved to point at malicious commits, as demonstrated in this attack."

As software delivery pipelines become more automated and interconnected, incidents like this highlight a difficult reality. The tools designed to secure applications are themselves becoming prime targets.