CP
cyberpings
Threat IntelHIGH

Supply Chain Compromise - Inside the trivy-action Incident

CRCrowdStrike Blog
trivy-actionAqua SecurityGitHub Actionscredential stealer
🎯

Basically, a popular tool was hacked to steal sensitive information from developers.

Quick Summary

A significant supply chain compromise involving the trivy-action GitHub Action was discovered. This incident affects many developers and organizations, highlighting vulnerabilities in trusted software components. Immediate action is required to secure environments and prevent unauthorized access.

What Happened

On March 20, 2026, CrowdStrike announced a significant security incident involving the trivy-action GitHub Action. This widely-used open-source vulnerability scanner was compromised, impacting numerous organizations utilizing it in their CI/CD pipelines. The investigation revealed that 76 out of 77 release tags of the trivy-action had been retroactively poisoned, replacing the legitimate code with a multi-stage credential stealer. This malicious code operated silently, allowing workflows to appear normal while compromising sensitive information.

The attack was discovered following a spike in script execution detections across several CrowdStrike Falcon platform customers. The compromised action had been used extensively, making the incident particularly concerning for developers and organizations relying on its integrity.

Who's Affected

The breach primarily affects organizations that employ the trivy-action in their CI/CD processes. Given that this tool is integrated into many development workflows, the potential impact is widespread. Developers using this action may have unknowingly executed malicious code, putting their repositories and sensitive data at risk. Aqua Security, the maintainers of the trivy-action, confirmed the compromise and acted swiftly to remove all malicious artifacts from their repositories, but the damage could have been extensive.

This incident serves as a critical reminder of the risks associated with third-party software components. Organizations must remain vigilant and ensure they have robust security measures in place to monitor and validate the integrity of the tools they use.

What Data Was Exposed

The malicious code embedded in the compromised trivy-action was designed to steal credentials and sensitive information from the environments where it was executed. This includes API keys, deploy tokens, and other secrets that could grant unauthorized access to internal systems. The fact that the malicious code ran silently before the legitimate scanner further complicates the situation, as it may have gone undetected for an extended period.

As developers often trust these actions to perform critical tasks, the exploitation of this trust model highlights a significant vulnerability in the software supply chain. Organizations that used the compromised action need to assess their exposure and take steps to secure their environments.

What You Should Do

Organizations that have used the trivy-action in their CI/CD pipelines should take immediate action. Here are some recommended steps:

  • Audit your workflows: Review all instances where the trivy-action has been utilized and assess any potential exposure.
  • Change credentials: Rotate API keys, tokens, and other secrets that may have been compromised during the incident.
  • Monitor for unusual activity: Keep an eye on your systems for any unauthorized access or suspicious behavior.
  • Implement security measures: Strengthen your CI/CD pipeline security by using tools that validate the integrity of third-party actions before execution.

By taking these proactive steps, organizations can mitigate the risks associated with supply chain compromises and enhance their overall security posture.

🔒 Pro insight: Analysis pending for this article.

Original article from

CrowdStrike Blog · Adam Cardillo - Ben Ellett - Travis Lowe - Radu-Emanuel Chiscariu

Read Full Article

Share

Related Pings

HIGHThreat Intel

Iranian Cyberattacks - Prepping for US and Israel Strikes

Iranian APTs are ramping up cyberattacks in response to recent US-Israel strikes. This poses significant risks to critical infrastructure and global cybersecurity. Vigilance and robust defenses are essential.

SC Media·
HIGHThreat Intel

Threat Intel - Russian APT Exploits Zimbra Bug in Ukraine

A Russian APT exploits a critical Zimbra vulnerability to target Ukraine's State Hydrology Agency. This attack uses phishing tactics to steal sensitive data, raising significant security concerns.

SC Media·
HIGHThreat Intel

Threat Intel - US Disrupts Handala Hacktivist Operations

The U.S. has disrupted Handala's hacktivist websites following their attack on Stryker. This operation aims to prevent further cyber exploitation. Handala's response shows their determination to continue their activities despite the setback.

SC Media·
HIGHThreat Intel

Threat Intel - FBI Links Signal Phishing to Russian Actors

The FBI has linked phishing attacks on Signal and WhatsApp to Russian intelligence. Thousands of accounts have been compromised, targeting sensitive users. Stay vigilant against these tactics to protect your communications.

BleepingComputer·
HIGHThreat Intel

DDoS Botnets - US, Canada, and Germany Take Down Four

Law enforcement from the US, Canada, and Germany dismantled four large DDoS botnets. Millions of IoT devices were infected, highlighting ongoing security vulnerabilities. This takedown buys time but doesn't resolve the underlying issues.

SC Media·
HIGHThreat Intel

Threat Intel - Russian Campaign Targets Messaging Apps Users

Russian hackers are targeting messaging apps like Signal and WhatsApp through a global phishing campaign. High-profile users are at risk, highlighting the need for better cybersecurity practices. Stay informed and vigilant to protect your accounts from these threats.

CyberScoop·