Trivy supply chain attack turns Aqua Security scanner into a secret stealer

A supply chain attack against Aqua Security’s widely used Trivy scanner let attackers push malicious code into parts of the Trivy ecosystem and steal secrets from CI/CD environments. Aqua says the attackers used compromised credentials to publish a malicious Trivy v0.69.4 release, tamper with tags in trivy-action and setup-trivy, and later push malicious Docker Hub images tied to the same campaign.

The attack matters because Trivy is a security tool many teams trust inside build pipelines. When a scanner gets compromised, the malware can run before or during normal security checks and quietly collect credentials, tokens, SSH keys, and cloud secrets from the very systems meant to protect software delivery. Aqua, Microsoft, Docker, and CrowdStrike all say the main risk is secret theft from CI/CD runners and developer pipelines.

Aqua says the March 19 activity was part of a broader multi-stage intrusion that began weeks earlier. The company later said it discovered additional suspicious activity over the March 21 to 22 weekend and expanded remediation as the investigation continued. Aqua’s GitHub advisory also says the same actor used compromised credentials again on March 22 to publish malicious Trivy v0.69.5 and v0.69.6 Docker Hub images.

The key point for defenders is simple. If your workflows pulled the poisoned Trivy binary, relied on mutable GitHub Action tags, or used affected Docker Hub images, you should treat all secrets available to those environments as compromised and rotate them immediately. Aqua says exactly that in its incident guidance.

What happened

Aqua says the attackers used compromised credentials to publish malicious releases of Trivy v0.69.4 on March 19, 2026. The company also says the threat actor force-pushed 76 of 77 version tags in aquasecurity/trivy-action and replaced all seven tags in aquasecurity/setup-trivy with malicious commits.

Docker says the compromise also reached Docker Hub. According to Docker’s incident post, attackers pushed malware into aquasec/trivy images using the 0.69.4 and latest tags starting on March 19 at 18:24 UTC through Aqua’s own build system. Aqua later said the actor also used compromised credentials on March 22 to publish malicious v0.69.5 and v0.69.6 Docker Hub images.

CrowdStrike says the malicious code acted as an infostealer and ran before the legitimate Trivy scanning logic. That allowed workflows to appear normal while the malware gathered environment variables, tokens, cloud credentials, SSH material, and container-related secrets from runner environments. Microsoft’s guidance describes similar theft targets and says the compromise affected CI/CD secrets, GitHub tokens, API keys, and cloud access material.

Why this attack is so dangerous

This attack did not rely on users downloading a clearly suspicious new package name. Instead, it abused trust that already existed. Teams often reference GitHub Actions by version tag and container images by familiar tags such as latest. Once those references were poisoned, existing workflows could fetch malicious content without obvious changes in pipeline configuration. Aqua, GitHub, and Docker all point to mutable tag abuse as a central part of the incident.

That makes the blast radius larger than a normal package compromise. A scanner like Trivy sits close to the heart of software delivery. If it runs inside build jobs, release pipelines, or image scanning stages, it can access secrets with broad reach across cloud, source control, container registries, and production infrastructure. Microsoft says defenders should assume exposed pipeline secrets may enable follow-on attacks far beyond the original runner.

Affected components and safe versions

Component	Compromised versions or references	Safe guidance
Trivy binary	v0.69.4 malicious release	Use a known safe release such as v0.69.3 and verify source integrity
trivy-action	76 of 77 tags force-pushed to malicious commits	Use v0.35.0 pinned to commit 57a97c7
setup-trivy	All 7 tags replaced with malicious commits	Use v0.2.6 pinned to commit 3fb12ec
Docker Hub images	0.69.4 and latest on March 19, plus 0.69.5 and 0.69.6 on March 22	Pull only verified clean images after Aqua’s remediation guidance

What data the malware tried to steal

• GitHub tokens and pipeline secrets
• AWS, Azure, and Google Cloud credentials
• SSH keys and related authentication material
• Docker configuration files and registry credentials
• Kubernetes tokens and environment-level secrets stored on runners

Indicators defenders should check

Aqua’s public guidance says defenders should block the command-and-control domain scan.aquasecurtiy.org and the IP address 45.148.10.212 if they appear in logs or network traffic. The company also says teams should search for impacted Trivy artifacts and assume runner secrets were exposed if those artifacts executed.

Microsoft says defenders should review GitHub Actions logs, build logs, secret usage patterns, unusual outbound requests from runners, and signs of later abuse involving stolen credentials. CrowdStrike also says the compromise can support broad follow-on intrusion activity because the stolen data often includes access to cloud platforms and source control systems.

What organizations should do now

• Rotate all secrets that were accessible to affected CI/CD environments, including GitHub, cloud, container registry, SSH, and API credentials. Aqua says to treat them as compromised immediately.
• Pin GitHub Actions to full commit hashes instead of mutable tags. Aqua’s safe-version guidance includes exact commit references for trivy-action and setup-trivy.
• Remove or replace any poisoned Trivy binaries, actions, or Docker images from build caches, registries, and pipeline templates. Docker and Aqua both say malicious images were distributed through official channels during the compromise window.
• Review audit logs for unauthorized workflow changes, suspicious action downloads, unexpected outbound traffic, and unusual credential use after pipeline runs. Microsoft specifically recommends investigation across GitHub Actions, build systems, and cloud environments.
• Move away from long-lived credentials wherever possible. Aqua says part of its remediation includes replacing long-lived tokens and strengthening release verification.

What Aqua says about its commercial products

Aqua says its commercial platform was not affected. The company says those products run in an isolated environment with separate pipelines, different access controls, and a controlled integration path that lags behind the open-source release process. That separation, according to Aqua, limited the incident to parts of the open-source ecosystem.

Bottom line

This was not just a bad release. It was a supply chain compromise of a trusted security tool used deep inside CI/CD pipelines. The attackers abused existing trust, changed tags many teams already relied on, and turned routine security scans into opportunities for secret theft. Aqua’s latest updates show the company is still remediating the fallout, while Microsoft, Docker, and CrowdStrike all warn that downstream users need to investigate and rotate credentials now.

For most teams, the right assumption is harsh but necessary. If an affected Trivy artifact ran in your environment, your secrets may already be in someone else’s hands.

FAQ