ON March 19, 2026, trivy, a widely used open source vulnerability scanner maintained by Aqua Security, experienced a second security incident, three weeks after the hackerbot-claw takeover on February 28. A new compromised release, v0.69.4, was published to the trivy repository, with Homebrew downgrading to v0.69.3 in response. The incident involved the malicious v0.69.4 binaries that phone home to a typosquat C2 domain, and the release automation briefly created a v0.70.0 tag before it was removed.
The original incident disclosure discussion (#10265) was deleted during this period, and all version tags on the aquasecurity/setup-trivy GitHub Action were removed except for v0.2.6. Evidence from the GitHub Events API tracks actions such as deletions of v0.69.4 and v0.70.0 and a later clean setup-trivy release, alongside discussions and a flood of spam bot comments aimed at burying the thread. Indicators of compromise include the C2 domain scan[.]aquasecurtiy[.]org and references to the compromised setup-trivy tag. according to Aqua Security.