Trivy v0.69.4 Software Supply Chain Attack: What You Need To Know

Recently, the open-source software community joined forces to help investigate an attack campaign against Aqua’s Trivy open-source security scanner. A threat actor was able, by compromising credentials, to generate a malicious version of Trivy and a few additional projects that were affected, which we will mention in this blog post.

Because the Trivy scanner is widely used by security teams, we want affected clients and readers to be aware of this issue. This post goes over incident details and what to do if you are affected. 

As of writing this, the investigation is still in process and details are subject to change.

‍

Trivy v0.69.4 Compromise: What happened?

In March 2026, a threat actor initiated a software supply chain attack campaign against a number of Aqua’s Trivy projects across the open-source software ecosystem. By compromising credentials, the threat actor was able to publish a malicious Trivy v0.69.4 release, force-push 76/77 version tags in aquasecurity/trivy-action to infostealer malware, and replace 7 tags in aquasecurity/setup-trivy with malicious commits.

‍

Prior Trivy GitHub Actions Workflow Attack: Early March 2026

Aqua assumes that the current campaign is a follow up of an incident that happened in early March 2026, where Trivy was attacked via GitHub Actions WorkFlow (which was fixed), however this information is not yet confirmed.

During the earlier incident:

1. The repository visibility was changed to private and renamed to aquasecurity/private-trivy
2. GitHub releases between 0.27-0.69.1 were deleted, including associated Discussions and Assets for those releases
3. A malicious artifact was created for Trivy’s VSCode extension which was pushed to Open VSIX marketplace (the artifact was removed and the token used to publish it was revoked)
4. Users that potentially can be affected are the ones that:
   
   • Downloaded Trivy binary directly from GitHub
   • Downloaded Trivy via a get.trivy.dev
   • Via the install script
   • Via Trivy Action

‍

Trivy v0.69.4 Supply Chain Compromise: Technical Breakdown

After an attempt by Aqua to mitigate the issue mentioned above, the threat actor performed a couple of imposter commits that were not attached to any branch:

‍

Malicious actions/checkout commit

A commit was pushed to one of the widely used GitHub actions. Spoofing rauchg user identity (Guillermo Rauch, CEO of Vercel), the threat actor made it look like a legitimate fix commit. But, as you can see in the screen shot below, the change in fact does the following:

1. Swaps the model from Node.js to composite and lets the attacker chain multiple steps, including arbitrary shell commands.
2. Checks out Trivy repo with full history
3. Downloads malicious Go source files from a typosquatted domain controlled by the threat actor https://scan.aquasecurtiy.org/static
   
   • Notice the typosquat aquasecurtiy instead of aquasecurity
   • cmd/trivy/main.go - replaces Trivy’s entrypoint
   • cmd/trivy/scand.go -  infostealer scanning component
   • cmd/trivy/fork_unix.go and fork_windows.go - platform specific forking logic
   • .golangci.yaml - probably to suppress linter warning about the injected code
   • &> /dev/null - by the end of each command, suppresses any output to keep it silent
   • The attacker faked the date of the commit, making it look like a change performed some time ago.

‍

Subsequent aquasecurity/trivy commit

The attacker then repo swapped the actions/checkout reference to point to the imposter commit we mentioned above, effectively hijacking the checkout step so that any CI/CD pipeline using trivy-action would fetch and compile the attacker’s secrets stealer code instead of the real Trivy scanner. The threat actors  added release --skip=validate to goreleaser to bypass binary validation

‍

Tag Hijack and Release Pipeline Trigger (v0.69.4)

On March 19, 2026 a threat actor pushed the 0.69.4 tag to point to the malicious aquasecurity/trivy commit, triggering the release pipeline. The poisoned version of Trivy was distributed across Trivy’s regular distribution channels:

• GHCR
• ECR Public
• Docker Hub (both 0.69.4 and latest tags)
• deb/rpm packages
• Get.trivy.dev

‍

Infostealer and Data Exfiltration

The infostealer delivered with the attack then tried to look for and exfiltrate the following information:

1. System reconnaissance 
2. Steals SSH private keys
3. Grabs .git-credentials and .gitconfig (stored passwords for Git operations)
4. Steals cloud (GCP, Azure, AWS) credentials - Sweeps up AWS credentials and config, tries to hit the AWS metadata service (IMDS) for IAM role tokens, collects Google Cloud and Azure credentials from their standard config directories, and grabs any related environment variables.
5. Kubernetes secrets: Takes kubeconfig files, service account tokens, certificates, and even tries kubectl get secrets --all-namespaces to dump every secret in the cluster.
6. Docker and Registry Auth: Steals Docker config files that contain registry login tokens (Docker Hub, GHCR, ECR, etc).
7. Environment files: Searches aggressively for .env, .env.production, .env.local, etc. across the entire filesystem up to 6 directories deep - these commonly hold API keys and database passwords.
8. Database credentials: Grabs config and password files for MySQL, PostgreSQL, MongoDB, Redis, and LDAP.
9. CI/CD Secrets: Collects terraform.tfvars Terraform state files (which often contain secrets in plaintext), GitLab CI configs, Travis CI configs, Jenkinsfiles, and Drone CI configs.
10. TLS/SSL Private Keys: Walks through /etc/ssl/private
11. Cryptocurrency Wallets: Steals wallet files and private keys for Bitcoin, Ethereum, Solana, Cardano, Litecoin, Dogecoin, Zcash, Dash, Ripple, and Monero. It's especially thorough with Solana - searching for validator keypairs, vote account keys, and Anchor project deploy keys.
12. Webhook URLs & API Keys: Grep-searches the filesystem for Slack webhooks, Discord webhooks, and anything matching patterns like api_key, access_token, etc.
13. System Auth Logs: Reads /etc/passwd, /etc/shadow (password hashes), and recent successful SSH login logs.
14. Shell History: Grabs bash, zsh, MySQL, PostgreSQL, and Redis command histories (developers often accidentally type passwords in terminals).
15. VPN Configs: Steals WireGuard configurations and tries to dump active WireGuard settings.
16. Encrypts the information collected and exfiltrates it to the endpoint controlled by the attacker that we already mentioned above scan.aquasecurtiy.org

trivy-actions and setup-trivy GitHub Actions were also targeted by this campaign.

‍

Trivy v0.69.4: Affected Versions

1. github.com/aquasecurity/trivy (Go): =0.69.4
2. aquasecurity/trivy-action (GitHub Actions): <0.35.0
3. aquasecurity/setup-trivy (GitHub Actions): <0.2.6

‍

Trivy v0.69.4: Patched Versions

1. github.com/aquasecurity/trivy (Go): 0.69.3
2. aquasecurity/trivy-action (GitHub Actions): 0.35.0
3. aquasecurity/setup-trivy (GitHub Actions): 0.2.6

‍

Trivy v0.69.4: Who is affected?

You are affected if you are used the following components:

Trivy binary and container images:

• If you used Trivy version v0.69.4 which was distributed via GitHub, Deb, RPM.
• Trivy container images v0.69.4 distributed via GHCR, ECR Public, DockerHub.

‍

aquasecurity/trivy-action GitHub Action:

• Any tags prior except 0.35.0 (0.0.1 - 0.34.2) to reference the action.
• the action's version: latest parameter explicitly (not the default) during the Trivy binary exposure window.
• SHA pinning to a commit prior to 2025-04-09. 
  ‍

aquasecurity/setup-trivy GitHub Action:

• You are affected if you use any version without pinning.
  ‍

IoC: Indicators of Compromise for Trivy v0.69.4 Attack

Commits that might still be reachable by SHA:

1. actions/checkout @ 70379aad1a8b40919ce8b382d3cd7d0315cde1d0
2. aquasecurity/trivy @ 1885610c6a34811c8296416ae69f568002ef11ec
3. Malicious workflows - credit to socket.dev for collecting and making this data available:

‍

scan.aquasecurtiy.org - typosquatted domain which resolves to 45.148.10.212

‍

What to Do if You Are Affected

Here’s what to do if you are affected:

1. Rotate all credentials. If you read so far, you can see that the infostealer targeted a wide variety of credentials. If you run a compromised version within your environment, you must treat mentioned credentials as compromised.
2. Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.
3. Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Check workflow run logs from March 19–20, 2026 for signs of compromise.
4. Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.

Pin GitHub Actions to full, immutable commit SHA hashes; don't use mutable version tags.

‍

References

• ‍GHSA-69fq-xp46-6x23: Security advisory with details regarding the incident provided by Aqua Security. If you suspect that you are affected, we strongly suggest you look at the advisory, since it contains important information such as the exposure window for affected components.
• Poisoned actions/checkout commit‍
• Poisoned aquasecurity/trivy workflow‍
• Aqua Security announcement about the incident‍
• Aqua Security announcement about the incident that happened in early March 2026 and was deleted by the Threat Actor