Trivy Vulnerability Scanner Faces Supply Chain Compromise
Aqua Security’s Trivy scanner has been compromised in a supply chain attack, raising alarm among developers. Users are urged to secure their systems immediately.
Hackers have successfully compromised nearly all versions of Aqua Security’s widely used Trivy vulnerability scanner amid an ongoing supply chain attack that poses significant risks for developers and organizations alike.
Itay Shakury, a maintainer of Trivy, confirmed the breach on Friday after speculation arose on a now-deleted discussion thread. The attack commenced early Thursday, allowing the threat actor to use stolen credentials to force-push malicious dependencies to almost all trivy-action tags and seven setup-trivy tags, with only one version remaining unaffected.
A force push is a Git command that bypasses safety mechanisms designed to prevent the overwriting of existing commits. Trivy is a vulnerability scanner employed by developers to identify flaws and mistakenly hardcoded authentication secrets in software development pipelines. With over 33,200 stars on GitHub, it is widely adopted in the industry.
Shakury advised users who may have operated a compromised version to treat all pipeline secrets as potentially compromised and to rotate them immediately. Security firms Socket and Wiz reported that the malware, activated through 75 compromised trivy-action tags, methodically searches development pipelines, including developer machines, for sensitive data such as GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens. The malware then encrypts this data and transmits it to a server controlled by the attackers.
According to Socket, any CI/CD pipeline that incorporates software referencing these compromised version tags will execute the malicious code as soon as the Trivy scan is initiated. Spoofed version tags include commonly used identifiers such as @0.34.2, @0.33, and @0.18.0, while version @0.35.0 appears to be unaffected.
Wiz researchers noted that the execution of the malicious binary runs both the legitimate Trivy service and the malicious code simultaneously. Initial analyses showed that the malicious code exfiltrates secrets using both primary and backup methods, and if it detects it is operating on a developer's machine, it writes a base64 encoded Python dropper for persistence.
The malicious process collects environmental variables and scans the system for any credentials stored in the filesystem, as well as enumerating the network interface. It then compresses and encrypts the data, attempting to exfiltrate it via a post request to https://scan.aquasecurtiy[.]org. If this attempt fails, the malware uses a stolen GITHUB_TOKEN to create a repository named tpcp-docs and post the stolen data there.
While the widespread compromise began on Thursday, it is linked to a previous breach last month involving the Aqua Trivy VS Code extension. Shakury explained that attackers managed to obtain credentials with write access to the Trivy GitHub account. Although maintainers rotated tokens and secrets in response, the process was not fully “atomic,” meaning some credential artifacts such as API keys and passwords were not thoroughly removed, allowing for potential malicious use.
Researchers from Socket pointed out that this lapse allowed the threat actor to conduct authenticated operations, including force-updating tags, without needing to exploit GitHub itself. The specific credential used in this phase has not been publicly disclosed, but the root cause is now understood to be residual access from the earlier credential compromise.
This compromise approach differs from traditional supply chain attacks, which typically involve using stolen credentials to introduce malicious code into a repository by pushing a new commit. The new method enabled the attack to evade detection by many standard defenses.
After gaining access to Trivy’s credentials, the attacker compromised the aquasecurity/trivy-action GitHub action not by pushing to a branch or creating a new release, which would have appeared in the commit history, but rather by force-pushing 75 existing version tags to point to malicious commits. This technique involved multiple layers of deception that warrant careful scrutiny.
Git tags serve as pointers to the SHA fingerprint of a commit. When GitHub Actions reference these tags, they resolve them to the specified commit. By force-updating the tags from legitimate commits to those written by the attacker, any workflow referencing them began automatically pulling the malicious versions.
Socket outlined the precise actions taken by the threat actor, who identified themselves as TeamPCP, including creating false commits that were pushed to actions/checkout and aquasecurity/trivy while impersonating other users. At 17:43:37 UTC, a tag in the Trivy repository was pushed, triggering a release that resulted in a malicious checkout fetching credential-stealing code from a typosquatted domain and the publication of backdoored binaries on GitHub Releases, Docker Hub, GHCR, and ECR. The maintainers have since removed these harmful artifacts.
The attacker also compromised a service account and exploited their access to push malicious workflows to traceeshark and trivy-action, stealing additional credentials from Aqua, including GPG keys and credentials for Docker Hub, Twitter, and Slack. These credentials were exfiltrated to a Cloudflare Tunnel command and control server.
At present, there have been no reported breaches affecting developers or organizations using the compromised Trivy scanner. Given the application’s popularity, thoroughness of the information-stealing capabilities, and the stealth of the operation, the potential consequences could be significant. All Trivy users are recommended to review the blog posts by Socket and Wiz and follow the outlined defensive measures.