AquaSecurity Trivy, Supply Chain Attack, No CVE (Critical)

Listen to this Post

How the mentioned attack works (technical details):

The attacker leveraged previously compromised, non-atomically rotated credentials from a February 2026 breach. On March 19, they pushed a malicious commit (1885610c) swapping `actions/checkout` to an imposter commit (70379aad) that downloaded malicious Go source from a typosquatted domain. They added `–skip=validate` to GoReleaser to bypass binary validation, tagged the commit as v0.69.4, triggering the release pipeline. Malicious binaries and container images (GHCR, ECR, Docker Hub, deb/rpm, get.trivy.dev) were distributed. Simultaneously, they force-pushed 76 of 77 tags in `aquasecurity/trivy-action` to inject an infostealer into entrypoint.sh. The stealer dumps `Runner.Worker` process memory via /proc/<pid>/mem, sweeps 50+ paths for SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes tokens, Docker configs, `.env` files, DB creds, crypto wallets. Data is AES-256-CBC encrypted with RSA-4096, exfiltrated to C2. If exfiltration fails and `INPUT_GITHUB_PAT` is set, it creates a public `tpcp-docs` repo on the victim’s GitHub and uploads stolen data as a release asset. All 7 tags in `setup-trivy` (v0.2.0–v0.2.6) were force-pushed with the same stealer in action.yaml. On March 22, using separate compromised Docker Hub credentials, they published malicious images `aquasec/trivy:0.69.5` and `0.69.6` (same C2 domain) directly to Docker Hub, with no GitHub tags.

dailycve form:

Platform: GitHub, Docker
Version: v0.69.4-0.69.6
Vulnerability: Supply chain compromise
Severity: Critical
Date: 2026-03-19

Prediction: 2026-03-24

What Undercode Say:

Analytics & verification commands:

Verify binary signature (safe version)
cosign verify-blob \
--certificate-identity-regexp 'https://github\.com/aquasecurity/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \
trivy_0.69.2_Linux-64bit.tar.gz
Check signing timestamp
date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2.sigstore.json)
Verify container image
cosign verify --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--new-bundle-format ghcr.io/aquasecurity/trivy:0.69.2
Query Rekor for signing timestamps
rekor-cli search --sha "$DIGEST" | while read uuid; do rekor-cli get --uuid "$uuid" | grep IntegratedTime; done
Search for exfiltration artifact
gh repo list <org> --limit 500 | grep tpcp-docs

Exploit:

Attacker used stolen, non-atomic rotated credentials to force-push malicious tags, bypass GoReleaser validation (--skip=validate), and replace GitHub Action scripts. Infostealer executed pre-scan, dumping process memory and scanning filesystems for secrets, then exfiltrated via C2 `scan.aquasecurtiy.org` (45.148.10.212) or fallback public repo tpcp-docs.

Protection from this CVE:

  • Update to Trivy v0.69.2/v0.69.3, [email protected], [email protected].
  • Pin all GitHub Actions to full commit SHAs (not tags).
  • Rotate all secrets potentially exposed during March 19–23, 2026.
  • Audit workflows for `aquasecurity/trivy-action` and setup-trivy; check for `tpcp-docs` repos.
  • Use immutable release tags (GitHub’s immutable releases feature).
  • Verify binaries/images via Sigstore/cosign before use.

Impact:

Full credential theft (SSH, cloud, K8s, Docker, DB, crypto wallets), source code exposure, and supply chain propagation. Attackers can pivot to any environment where compromised Trivy or GitHub Actions ran, leading to data breaches, backdoors, and further malicious releases.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top