Trivy Scanner Compromised - Ongoing Supply Chain Attack Alert
Basically, hackers broke into a tool developers use, putting their secret info at risk.
Aqua Security's Trivy scanner has been compromised in a supply chain attack. Developers are urged to rotate their secrets immediately. The risk of data breaches is significant, given the tool's popularity. Stay alert and follow recommended security measures.
What Happened
A significant supply chain attack has compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner. This incident was confirmed by maintainer Itay Shakury, following a series of rumors and a now-deleted thread by the attackers. The attack began early Thursday, leveraging stolen credentials to force-push malicious dependencies into the Trivy repository. This means that developers using the affected versions may have unknowingly executed compromised code in their software development pipelines.
The attackers managed to alter 75 out of 76 trivy-action tags and seven setup-trivy tags, effectively replacing them with malicious versions. These changes allow the malware to infiltrate development environments and search for sensitive information like GitHub tokens and cloud credentials. Given Trivy's popularity, with over 33,200 stars on GitHub, the potential impact on developers and organizations could be extensive.
Who's Affected
Any developer or organization utilizing the compromised versions of the Trivy scanner is at risk. This includes those who rely on Trivy for identifying vulnerabilities and securing their CI/CD pipelines. The malware can exfiltrate sensitive data, leading to unauthorized access to various accounts and systems. While no breaches have been reported yet, the thoroughness of the information stealer and the stealthy nature of the operation raise significant concerns about future attacks.
As the attack unfolded, security firms like Socket and Wiz alerted users to the severity of the situation. They emphasized that if developers suspect they were using a compromised version, they should treat all pipeline secrets as potentially exposed and rotate them immediately.
What Data Was Exposed
The malware embedded in the compromised Trivy versions is designed to scour development environments for sensitive credentials. This includes:
- GitHub tokens
- Cloud credentials
- SSH keys
- Kubernetes tokens
Once these secrets are discovered, the malware encrypts and sends the data to an attacker-controlled server. The compromised versions of Trivy, particularly the spoofed tags like @0.34.2 and @0.33, can execute malicious code as soon as they are run in a CI/CD pipeline. The potential for data exfiltration is alarming, especially given the tool's widespread use.
What You Should Do
If you are a user of the Trivy scanner, immediate action is crucial. Follow these steps:
- Rotate all secrets: Treat all pipeline secrets as compromised and rotate them without delay.
- Update to the latest version: Ensure you are using the unaffected version @0.35.0 or later.
- Monitor your systems: Keep an eye on your development environments for any unusual activity or unauthorized access attempts.
- Review security protocols: Strengthen your security measures to prevent similar incidents in the future.
This incident serves as a stark reminder of the vulnerabilities inherent in software supply chains. Developers must remain vigilant and proactive in securing their tools and environments against potential threats.
Ars Technica Security