CISA adds Trivy supply chain compromise to KEV as agencies face April 9 deadline

CISA has added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog, putting the Trivy supply chain compromise on the U.S. government’s short list of flaws that federal agencies must address fast. The catalog entry says the issue could give attackers access to CI/CD secrets, including tokens, SSH keys, cloud credentials, database passwords, and sensitive data held in memory.

This is not a routine bug inside Trivy’s scanning logic. Public advisories from Aqua and GitHub describe it as a supply chain attack in which threat actors used compromised credentials to publish malicious Trivy releases and tamper with related GitHub Actions used in developer pipelines.

For organizations that use open source Trivy in CI/CD, the immediate question is simple: did any pipeline pull the malicious artifacts during the exposure windows in March. If the answer is yes, or if teams cannot prove otherwise, Aqua says they should treat all secrets available to those runners as exposed and rotate them immediately.

What happened

According to Aqua’s incident update and GitHub’s advisory, attackers used compromised credentials on March 19, 2026 to publish a malicious Trivy v0.69.4 release, hijack 76 of 77 version tags in aquasecurity/trivy-action, and replace all seven tags in aquasecurity/setup-trivy with malicious commits. A second wave hit on March 22, when malicious Trivy v0.69.5 and v0.69.6 Docker Hub images were published.

CISA’s KEV listing matters because the agency only adds vulnerabilities when it has evidence of active exploitation. Its entry for CVE-2026-33634 sets an April 9, 2026 remediation deadline for federal civilian agencies under Binding Operational Directive 22-01.

Aqua says the incident grew out of an earlier late-February intrusion into Trivy’s GitHub Actions environment. The company said its first credential rotation after the March 1 disclosure was not fully comprehensive, which may have allowed the attacker to keep access and return later.

Why this is serious

The malware did more than change version tags. GitHub’s advisory says the malicious code could dump runner memory, search more than 50 filesystem paths for secrets, encrypt stolen data, and send it to attacker-controlled infrastructure. If exfiltration failed and a GitHub PAT was available, the malware could fall back to creating a public repository named tpcp-docs on the victim account and upload stolen data there.

That makes this incident especially dangerous for build systems and release pipelines. Trivy often runs inside environments that already hold cloud credentials, registry logins, Git access tokens, Kubernetes tokens, SSH keys, and environment secrets. Once attackers reach that layer, the blast radius can move beyond one tool and into the software delivery chain itself.

Aqua also drew an important boundary. It said there was no indication its commercial products, including Trivy as delivered inside the Aqua Platform, were affected. That statement does not cover teams that consume open source Trivy directly or through the GitHub Actions ecosystem.

Affected versions and safe versions

Source basis: Aqua and GitHub advisories.

The timelines also matter. GitHub’s advisory lists a roughly three-hour exposure window for Trivy v0.69.4 on March 19, around twelve hours for trivy-action, around four hours for setup-trivy, and around ten hours for the malicious Docker Hub images on March 22.

For defenders, the key detail is not just version number. Aqua says workflows that referenced mutable tags rather than full commit SHAs should be treated with extra scrutiny, because the attackers changed trusted tags instead of relying only on a clearly suspicious new release.

What organizations should do now

Security teams should identify whether any pipeline downloaded Trivy v0.69.4, or used compromised trivy-action or setup-trivy references during the March 19 to March 22 windows. Teams should also audit logs, caches, container registries, and workflow histories for signs that those artifacts ran in production or staging environments.

If exposure is possible, Aqua says teams should rotate all secrets accessible to those runners. That includes cloud credentials, source control tokens, registry credentials, SSH keys, Kubernetes tokens, environment variables, and other automation secrets.

Longer term, this incident reinforces a familiar lesson with new urgency. GitHub Actions should be pinned to full immutable commit SHAs, not mutable version tags. Aqua now lists SHA pinning and immutable release verification as part of the hardening work that follows this attack.

Immediate checklist

• Check whether Trivy v0.69.4 ran anywhere in your environment.
• Review workflows that used aquasecurity/trivy-action or aquasecurity/setup-trivy by tag instead of full SHA.
• Rotate every secret available to affected CI/CD runners.
• Hunt for the tpcp-docs repository name and published IOCs in GitHub audit logs and network telemetry.
• Move to known-safe versions and pin future action usage to immutable SHAs.

FAQ