Trivy Vulnerability Scanner Hit by Second Supply-Chain Attack in Three Weeks

Security researcher Paul McCarty flagged a compromised release of Trivy, one of the most widely used open-source vulnerability scanners in software development, after version 0.69.4 appeared on the official GitHub repository on March 19 carrying malicious code designed to steal sensitive CI/CD pipeline secrets.

The attack was the second to hit Trivy, maintained by Aqua Security, in less than a month. According to analysis by security firm Wiz, v0.69.4 ran both the legitimate Trivy service and malicious code simultaneously, allowing it to quietly siphon secrets from developer workflows. The compromised version targeted two widely deployed GitHub Actions: "aquasecurity/trivy-action" and "aquasecurity/setup-trivy."

Trivy maintainers deleted the v0.69.4 tag after the compromise was identified, and Homebrew, a popular package manager used by millions of developers, downgraded its Trivy distribution to the prior stable release, v0.69.3. The investigation, as of this reporting, remains active.

The first incident, documented by security firm Stepsecurity, occurred on February 28 when an autonomous bot named "hackerbot-claw" exploited a "pull_request_target" workflow vulnerability to steal a Personal Access Token. With that token, the attacker seized control of the repository, deleted multiple release versions, and pushed two malicious versions of Trivy's Visual Studio Code extension to Open VSX, a public extension registry. The second attack followed just three weeks later.

The breach carries serious implications for any organization running Trivy inside automated CI/CD pipelines. Secrets stolen from those environments can include authentication tokens, API keys, and deployment credentials, potentially giving attackers access to production infrastructure.

The technical fallout was compounded by an information problem. On March 21 and 22, multiple attempts to share details about the incident on Hacker News, the influential technology forum run by Y Combinator, were reportedly suppressed or marked "dead," limiting the reach of public warnings. Separately, the original GitHub incident disclosure thread, numbered #10265, was deleted during the same period. Stepsecurity, whose article documenting the March 19 incident was authored by Varun Sharma, did not identify who deleted the discussion.

The two events, GitHub thread deletion and Hacker News post suppression, are distinct. One occurred on a private code-hosting platform where repository maintainers have deletion authority; the other involves moderation decisions made by Hacker News staff or automated systems. No evidence in the available reporting links the two causally, but their timing raised immediate questions among security professionals about whether the full scope of the breach was reaching the developer community that most needed to know.

Several material questions remain unanswered. The exact number of tags removed from the aquasecurity/setup-trivy repository is disputed; one report cited 75 hijacked tags, a figure not independently corroborated by Stepsecurity's review of public GitHub data. Which organizations had secrets exposed, and whether stolen credentials have been rotated, has not been publicly confirmed. Aqua Security has not issued a public statement detailing remediation steps or the scope of downstream exposure.

Developers who ran Trivy-based workflows between March 19 and the tag deletion should treat any secrets accessible to those pipelines as potentially compromised and rotate credentials immediately.