Widely used Trivy scanner compromised in supply-chain attack

Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them. Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident.

The attack began in the early hours of Thursday. The threat actor used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to reference malicious dependencies. A forced push is a git command that overrides a default safety mechanism that protects against overwriting existing commits.

Security firms Socket and Wiz said the malware, triggered in 75 compromised trivy-action tags, thoroughly scours development pipelines and developer machines for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens and other secrets.

trivy, aqua security, supply chain, vulnerability scanner, trivy-action, forced push, github tokens, cloud credentials, kubernetes tokens, malware