Listen to this Post
The vulnerability stems from a supply chain attack where a threat actor used compromised credentials to push a malicious Trivy v0.69.4 release, overwrite 76 of 77 tags in the `aquasecurity/trivy-action` repository with credential‑stealing malware, and replace all seven tags in `aquasecurity/setup-trivy` with malicious commits. The attack exploited a non‑atomic credential rotation performed after an initial disclosure on March 1, 2026; because not all credentials were revoked simultaneously, a valid token remained active for several days, allowing the attacker to exfiltrate newly rotated secrets and retain access. The malicious code in the affected components (Trivy binary v0.69.4, `trivy-action` tags 0.0.1–0.34.2, and `setup-trivy` tags 0.2.0–0.2.6) was designed to steal secrets from CI/CD pipelines. The presence of a repository named `tpcp-docs` in a GitHub organization indicates that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Safe versions are Trivy v0.69.2/v0.69.3, `trivy-action` v0.35.0, and `setup-trivy` v0.2.6 (after the safe commit). The attack vector was external (AV:N), required low privileges (PR:L), and had high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H) as well as on the supply chain (SC:H/SI:H/SA:H), earning a CVSS 4.0 score of 9.4 (Critical).
Platform: GitHub Actions / Trivy
Version: 0.69.4, 0.0.1‑0.34.2, 0.2.0‑0.2.6
Vulnerability: supply chain compromise
Severity: Critical
date: March 19, 2026
Prediction: Already fixed Mar 20, 2026
What Undercode Say:
Check if a compromised version was used in your workflows
gh api repos/{owner}/{repo}/actions/runs --paginate | jq '.workflow_runs[] | select(.created_at >= "2026-03-19") | {id, name, conclusion, created_at, head_sha}'
List all repositories that reference mutable tags (bad practice)
gh search repos --owner {org} --filename .github/workflows/.yml --match "uses: aquasecurity/trivy-action@v" --limit 100
Look for the exfiltration indicator repository
gh api orgs/{org}/repos --paginate | jq '.[] | select(.name == "tpcp-docs")'
Verify all Trivy images pulled on March 19–20
docker images | grep trivy | grep 0.69.4
Rotate all secrets exposed to affected pipelines (example for GitHub)
gh secret list --repo {owner}/{repo} --json name | jq -r '.[].name' | while read secret; do gh secret delete "$secret" --repo {owner}/{repo}; done
Exploit:
The attacker used a valid GitHub token (retained during a non‑atomic credential rotation) to force‑push malicious commits to all tags of `aquasecurity/trivy-action` and aquasecurity/setup-trivy, and to publish a malicious Trivy v0.69.4 binary and container image. Any CI/CD pipeline that referenced a mutable tag (e.g., v0.69.4, v0.34.2, v0.2.6) automatically downloaded and executed the malware, which exfiltrated environment secrets. The fallback mechanism created a repository named `tpcp-docs` in the victim’s organization to confirm successful theft.
Protection from this CVE:
- Immediately rotate all secrets accessible to any pipeline that may have used the affected versions.
- Pin GitHub Actions to immutable commit SHAs instead of version tags (e.g.,
uses: aquasecurity/trivy-action@abc123...). - Review workflow run logs from March 19–20, 2026 for any unexpected behavior or the creation of
tpcp-docs. - Use only known safe versions: Trivy 0.69.2/0.69.3, `trivy-action` 0.35.0, and `setup-trivy` 0.2.6 (recreated commit).
- Enforce atomic credential rotation by revoking all existing tokens simultaneously before issuing new ones.
Impact:
Critical supply chain breach allowing full compromise of CI/CD secrets (including cloud credentials, API keys, and tokens) in any environment that used the compromised versions. Attackers could gain persistent access, pivot to production systems, and exfiltrate sensitive data. The malicious code was designed to stealthily steal secrets, with the `tpcp-docs` repository serving as a clear indicator of successful exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

