A Trivy supply chain attack saw a threat actor systematically targeting cloud credentials, SSH keys, tokens and other sensitive secrets stored in automated enterprise software build and deployment pipelines after compromising Trivy, the widely deployed cloud security scanner. The compromise began in February when the attacker exploited a misconfiguration in Trivy’s GitHub Action component to steal a privileged access token, with the Trivy team first disclosing intrusion on 1 March.
On 19 March the attacker used those credentials to force-push malicious code to 76 of the 77 previously released versions of trivy-action, and to seven versions in the setup-trivy repository, enabling the malicious code to run in CI/CD pipelines. A compromised automated service account named aqua-bot was used to publish a malicious Trivy version, v0.69.4, and to manipulate GitHub Action tags, according to Aqua Security.
In a March 23 update, Aqua disclosed that the actor exploited aqua-bot to publish two compromised Docker images, v0.69.5 and v0.69.6, spreading malware through Trivy’s trusted release pipeline and describing the payload as a credential-harvesting infostealer.