Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and organizations that rely on it.
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a deleted thread discussing the incident. The attack began early Thursday and involved stolen credentials being used to force-push all but one of the trivy-action tags and seven setup-trivy tags with malicious dependencies. A forced push is a git command that overrides default safety mechanisms, allowing attackers to overwrite existing commits.
Security firms Socket and Wiz reported that malware triggered in 75 compromised trivy-action tags causes custom malware to thoroughly scour development pipelines for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and other secrets. Once found, the malware encrypts the data and sends it to an attacker-controlled server.
When executed, the malicious binary starts both the legitimate Trivy service and the malicious code in parallel. Wiz researchers noted that the malicious code exfiltrates secrets with a primary and backup mechanism. If detected on a developer machine, it writes a base64 encoded Python dropper for persistence. The compromise stems from a separate credential breach last month, where attackers gained write access to Trivy’s GitHub account.
Socket explained that the attack technique used multiple layers of deception, allowing the compromise to go unnoticed by common defenses. The attacker force-updated 75 existing version tags with malicious commits without triggering notifications or new commit histories.