Trivy Supply Chain Compromise - Detection and Defense Guide
Basically, hackers used a trusted tool to steal sensitive information from developers.
A recent supply chain attack compromised Trivy, injecting malware into CI/CD pipelines. Organizations using this tool are at risk of credential theft. Learn how to detect and defend against such threats effectively.
What Happened
On March 19, 2026, Trivy, an open-source vulnerability scanner developed by Aqua Security, fell victim to a supply chain attack. Threat actors, identified as TeamPCP, exploited prior access to inject credential-stealing malware into official Trivy releases. This attack compromised the core scanner binary and GitHub Actions associated with Trivy, affecting CI/CD pipelines globally. The attackers leveraged trusted distribution channels to deceive organizations into executing malicious code.
The attack unfolded in two main phases: first, the attackers modified GitHub Actions to redirect trusted version tags to malicious commits. Second, they published an infected Trivy binary (v0.69.4) on official platforms, allowing the malware to spread undetected. This sophisticated method ensured that workflows appeared successful while secretly harvesting sensitive data.
Who's Being Targeted
Organizations utilizing Trivy in their CI/CD pipelines are at significant risk. The attack's stealthy nature means that many may not realize they have been compromised until it's too late. The malware specifically targeted cloud credentials and other sensitive information, including secrets from various cloud providers like AWS, GCP, and Azure. Developers and security teams relying on Trivy's trusted status are particularly vulnerable, as the malware was designed to blend in with legitimate operations.
This incident highlights a broader trend where attackers increasingly target trusted developer tools and software supply chains. As more organizations adopt CI/CD practices, the attack surface expands, making it crucial for teams to remain vigilant.
Tactics & Techniques
The attackers employed several concerning tactics during the Trivy supply chain compromise. By exploiting GitHub's mutable tags, they were able to force-push malicious commits without raising alarms. This allowed them to execute their code on any CI/CD pipeline referencing the affected tags. Additionally, the malware was designed to harvest credentials from various sources, including environment variables and cloud metadata services.
The malware executed a series of commands to extract sensitive information, including AWS and Azure credentials, Kubernetes secrets, and even cryptocurrency wallet details. The data was then encrypted and exfiltrated to a domain controlled by the attackers, all while maintaining the illusion of normal workflow operations.
Defensive Measures
To defend against similar supply chain attacks, organizations must adopt proactive measures. Microsoft Defender recommends several strategies:
- Update to Safe Versions: Ensure all workflows are using verified safe versions of Trivy and related actions. For instance, revert to Trivy binary versions v0.69.2 to v0.69.3.
- Harden CI/CD Pipelines: Pin third-party actions to immutable references, such as commit SHAs, instead of version tags. Regular audits of workflows can help identify and replace insecure references.
- Restrict Action Usage: Implement organization-level policies to allow only approved actions and block unverified external actions.
- Protect Secrets: Avoid exposing secrets in environment variables and use dedicated secret managers. Implement ephemeral runners to prevent credential persistence across jobs.
By understanding the tactics used in the Trivy attack and adopting these defensive measures, organizations can significantly reduce their risk of falling victim to similar exploits in the future.
Microsoft Security Blog