CP
cyberpings
Threat IntelHIGH

Trivy Compromise - Credential Theft from GitHub Action

CSCyber Security News
TrivyTeamPCPcredential theftGitHub Actionsupply chain attack
🎯

Basically, hackers used a trick to steal passwords from many software projects.

Quick Summary

A major supply chain attack has compromised Trivy's GitHub Action, risking credential theft across thousands of CI/CD pipelines. Organizations must act fast to secure their environments and rotate exposed secrets. Don't let your data fall into the wrong hands!

What Happened

In a concerning development for software security, a sophisticated supply chain attack has compromised the official Trivy GitHub Action, impacting continuous integration and deployment (CI/CD) pipelines worldwide. Disclosed in late March 2026, this incident marks the second compromise of the Trivy ecosystem within just a month. The attackers managed to force-push 75 out of 76 existing version tags, effectively distributing a malicious infostealer to over 10,000 GitHub workflow files that rely on this action.

The attack was executed by leveraging residual write access from a previous credential breach, allowing the threat actors to alter existing version tags without raising alarms. This method minimized the chances of detection, as it avoided creating new releases or pushing code to branches, which typically trigger security alerts.

Who's Affected

The impact of this attack is extensive, affecting numerous organizations that utilize the Trivy GitHub Action in their CI/CD pipelines. With over 10,000 workflows potentially compromised, the blast radius for credential theft is massive. This includes both GitHub-hosted and self-hosted runners, making it a critical issue for many developers and companies relying on this tool for security scanning.

Organizations that have executed any of the poisoned version tags are at risk. The attackers specifically targeted sensitive data, including SSH keys, database credentials, and CI/CD configuration files, which could lead to further exploitation if not addressed promptly.

What Data Was Exposed

The malicious script injected into the Trivy GitHub Action is designed to collect sensitive data systematically. During its operation, the infostealer targets:

  • SSH keys and Git credentials
  • Cloud provider credentials (AWS, Azure)
  • CI/CD and Docker configurations
  • Environment files containing sensitive variables
  • Cryptocurrency wallet data

The malware operates in stages, including targeted collection, encryption, and stealthy exfiltration of the stolen data. It uses advanced techniques like AES-256 encryption and attempts to exfiltrate data via HTTPS requests, even creating public repositories to hide its tracks if initial attempts fail.

What You Should Do

Organizations using the Trivy GitHub Action must take immediate action. Here are the recommended steps:

  1. Stop referencing any version tags of the Trivy Action, except for the untouched version @0.35.0.
  2. Pin the action to a specific safe commit SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1) to prevent further exploitation.
  3. Rotate all exposed secrets, including cloud credentials and API tokens, to mitigate potential breaches.
  4. Audit GitHub organizations for any unauthorized repositories named tpcp-docs, which may contain stolen data.

Taking these steps is crucial to safeguard your organization against the fallout from this alarming attack. The threat landscape is evolving, and vigilance is key.

🔒 Pro insight: This incident underscores the critical need for continuous monitoring of CI/CD tools and rigorous access controls to prevent similar supply chain attacks.

Original article from

Cyber Security News · Dhivya

Read Full Article

Share

Related Pings

HIGHThreat Intel

Threat Intel - Russian Hackers Target High-Value Individuals

Russian hackers are targeting high-value individuals through Signal, using social engineering to compromise accounts. This poses serious risks to sensitive communications. Stay vigilant and protect your data.

Cyber Security News·
HIGHThreat Intel

Iranian Cyberattacks - Prepping for US and Israel Strikes

Iranian APTs are ramping up cyberattacks in response to recent US-Israel strikes. This poses significant risks to critical infrastructure and global cybersecurity. Vigilance and robust defenses are essential.

SC Media·
HIGHThreat Intel

Threat Intel - Russian APT Exploits Zimbra Bug in Ukraine

A Russian APT exploits a critical Zimbra vulnerability to target Ukraine's State Hydrology Agency. This attack uses phishing tactics to steal sensitive data, raising significant security concerns.

SC Media·
HIGHThreat Intel

Threat Intel - US Disrupts Handala Hacktivist Operations

The U.S. has disrupted Handala's hacktivist websites following their attack on Stryker. This operation aims to prevent further cyber exploitation. Handala's response shows their determination to continue their activities despite the setback.

SC Media·
HIGHThreat Intel

Supply Chain Compromise - Inside the trivy-action Incident

A significant supply chain compromise involving the trivy-action GitHub Action was discovered. This incident affects many developers and organizations, highlighting vulnerabilities in trusted software components. Immediate action is required to secure environments and prevent unauthorized access.

CrowdStrike Blog·
HIGHThreat Intel

Threat Intel - FBI Links Signal Phishing to Russian Actors

The FBI has linked phishing attacks on Signal and WhatsApp to Russian intelligence. Thousands of accounts have been compromised, targeting sensitive users. Stay vigilant against these tactics to protect your communications.

BleepingComputer·