Trivy Supply Chain Attack: Secrets That Will Amaze You

What Is Trivy and Why the Trivy Supply Chain Attack Matters

In fact, Trivy is an open-source security scanner built by Aqua Security. Specifically, it checks container images, file systems, and code for known flaws. In fact, thousands of teams use it inside their CI/CD pipelines to catch bugs before code goes live.

Moreover, the tool runs as a GitHub Action. In other words, it plugs right into your build process. As a result, every time you push code, Trivy scans it and flags problems. As a result, it's fast, free, and widely trusted — which also made it a prime target for the Trivy supply chain attack.

Importantly, here's why that trust matters. Clearly, when a tool sits inside your pipeline, it has access to your secrets — API keys, cloud tokens, SSH keys, and more. In short, if someone poisons that tool, they don't need to break in. Instead, they inherit your trust.

How the Trivy Supply Chain Attack Happened

Notably, the attack started weeks before the main breach. In late February 2026, an AI bot called hackerbot-claw scanned GitHub for weak workflow configs. Consequently, it found one in Trivy's repo that used a risky event trigger called pull_request_target.

In particular, this trigger runs code in the base repo's context — not the fork's. Therefore, the bot submitted a pull request with hidden code that stole a Personal Access Token (PAT). As a result, with that token, the attacker gained full write access to Trivy's repo.

The Trivy Supply Chain Attack: Tag Poisoning Explained

On March 19, 2026, TeamPCP used those stolen credentials to rewrite 75 of 76 version tags in the trivy-action repo. In fact, in Git, a tag is just a pointer to a commit. Similarly, if you have write access, you can force-push a tag to point at different code.

However, the release page on GitHub didn't change. Indeed, same name, same date, same description. Nevertheless, the code behind each tag now contained a credential stealer. Consequently, anyone who ran a pipeline referencing those tags got hit — silently.

What the Trivy Supply Chain Attack Payload Did

Notably, the injected code ran before the real Trivy scan. As a result, your pipeline looked normal — it completed without errors. However, in the background, two Python scripts were stealing data.

Specifically, the first script dumped secrets from the GitHub Actions runner's process memory. Moreover, it grabbed tokens, environment variables, and anything stored in the runner's context. In addition, the second script targeted the local file system — SSH keys, cloud tokens for AWS, Azure, and GCP, Docker configs, and even crypto wallets.

Furthermore, both scripts sent the stolen data to a fake domain: scan.aquasecurtiy[.]org (note the typo — that's the attacker's typosquat). Alternatively, if that failed, the data went to a public GitHub repo as a backup. Indeed, because GitHub traffic looks routine in dev setups, most teams didn't notice.

Who Is Affected by the Trivy Supply Chain Attack

Therefore, if your pipeline ran aquasecurity/trivy-action between March 19 at 17:43 UTC and March 20 at about 05:40 UTC, your secrets may be exposed. In other words, that's roughly a 12-hour window.

Notably, the safe versions are trivy v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6. Consequently, anything outside those versions during the attack window should be treated as compromised.

Moreover, the impact goes beyond Trivy itself. In fact, stolen tokens from the first breach were then used to poison Checkmarx's GitHub Action as well. As a result, the Trivy supply chain attack cascaded — one compromised tool led to another, then another.

Furthermore, Sysdig's threat research team confirmed the connection. Specifically, they found the same credential stealer from the Trivy supply chain attack running inside Checkmarx's AST Action just four days later. Indeed, the pattern was identical — same code, different domain name to avoid detection.

How to Check If the Trivy Supply Chain Attack Affected You

To begin with, search your workflow files for any reference to trivy-action:

grep -r "aquasecurity/trivy-action" .github/workflows/
grep -r "aquasecurity/setup-trivy" .github/workflows/

Next, if you find matches, check your workflow run logs from March 19–20. Look for any calls to tpcp.tar.gz, aquasecurtiy (with the typo), or checkmarx.zone.

In addition, search your GitHub org for a repo named tpcp-docs. If it exists, the attacker successfully sent your data through the backup channel.

5 Steps to Guard Against the Trivy Supply Chain Attack

Regardless of whether you use Trivy or not, these steps apply to every team that runs GitHub Actions.

1. Pin Actions to Full Commit SHAs

Importantly, version tags can be rewritten. However, commit SHAs cannot be rewritten. Therefore, replace tag-based references with full 40-character SHA hashes. For example, instead of @v2, use @a1b2c3d4.... In fact, this is the single most effective defense against tag poisoning.

2. Rotate All Pipeline Secrets Immediately

Specifically, if you ran an affected version during the attack window, rotate every secret that was accessible to your runners. For example, that includes GitHub PATs, AWS keys, Azure service principal credentials, and any tokens in your repo or org settings.

3. Audit pull_request_target Workflows

Notably, any workflow that uses this trigger and also checks out PR code is high risk. Indeed, the attacker used this exact pattern to steal the initial token. Therefore, separate trusted workflows from untrusted code, or remove the trigger entirely.

4. Apply Least Privilege to Runner Tokens

In fact, most pipelines give the GITHUB_TOKEN far more permission than needed. Consequently, lock it down. For instance, if your workflow only reads code, don't give it write access. As a result, fewer permissions mean less damage if a tool gets compromised.

5. Monitor Runner Behavior at Runtime

However, network-level tools alone won't catch these attacks. In fact, the attacker's domains were too new to appear on blocklists. Instead, watch for unusual behavior — like a CI runner making POST requests with binary data to external domains.

❌

Using Version Tags Instead of SHAs

Indeed, tags can be silently rewritten. Similarly, a tag that pointed to safe code yesterday can point to malware today. Therefore, always pin to full commit SHAs.

❌

Trusting "Immutable Release" Badges

GitHub's immutable badge didn't prevent this attack. In fact, the attacker may have locked the malicious state in place. Consequently, do not rely on badges alone.

❌

Skipping Secret Rotation After a Breach

Notably, a stolen token opens the door to cascading attacks. Therefore, if any tool in your pipeline was compromised, rotate every credential it could access.

❌

Ignoring pull_request_target Risks

Furthermore, this trigger runs in the base repo's context with full secret access. As a result, if it also checks out PR code, any fork can steal your secrets.

The Attack Is Still Expanding

Importantly, this is not a one-and-done breach. In fact, after the initial Trivy compromise, TeamPCP kept going. For example, on March 22, malicious Docker Hub images appeared — versions 0.69.5 and 0.69.6 — with the same infostealer code baked in.

Furthermore, by March 24, the campaign had also spread to PyPI. Packages for LiteLLM (versions 1.82.7 and 1.82.8) were poisoned with identical malware. Moreover, the attackers even moved into the npm ecosystem using a self-spreading worm called CanisterWorm.

In other words, the stolen credentials from one tool unlocked access to many others. Consequently, each new breach fed the next one. In short, this is what makes supply chain attacks so dangerous — they don't stop at one target.

Why This Matters If You're Studying Cybersecurity

The Trivy supply chain attack is a textbook example of what the CEH and Security+ exams call "third-party risk." Notably, you did not write the bad code. Similarly, you did not misconfigure anything. However, you just used a popular tool — and that was enough.

Therefore, if you are preparing for a security cert, study this incident closely. In fact, it covers real-world concepts like supply chain risk, least privilege, credential management, and incident response. Indeed, these are no longer abstract exam topics. Instead, they are headlines.

Moreover, even if you do not use Trivy, the patterns here apply everywhere. In particular, any tool in your pipeline that has access to secrets is a potential attack vector. As a result, learning how to audit, lock down, and monitor those tools is a skill that sets you apart from other beginners.