Trivy supply-chain attack expands to Docker Hub and Aqua’s GitHub repos

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

The Trivy supply-chain attack has widened beyond the original malicious release and now includes compromised Docker Hub images and fresh repository tampering inside Aqua Security’s GitHub environment. Aqua says the latest activity points to the same attacker regaining access after earlier containment steps fell short.

That makes this incident more serious than a single bad version upload. Trivy is a widely used open-source security scanner in developer pipelines, so any compromise in its release chain can expose CI/CD secrets, cloud credentials, SSH keys, Kubernetes tokens, and Docker configuration files in downstream environments. Aqua’s GitHub advisory says affected users should treat accessible pipeline secrets as compromised and rotate them immediately.

Aqua’s latest update says investigators found additional suspicious activity on March 22 involving unauthorized changes and repository tampering. The company says that suggests an ongoing and evolving attack, with the threat actor reestablishing access while Aqua and incident response firm Sygnia continue forensic work and remediation.

What happened

Aqua says the main March 19 incident began when a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release and to tamper with the Trivy GitHub Actions ecosystem. According to the company, the attacker force-pushed 76 of 77 version tags in aquasecurity/trivy-action and replaced all seven tags in aquasecurity/setup-trivy with malicious commits.

The company says this was not a brand-new intrusion but a follow-up to an earlier March 1 incident. Aqua’s maintainers said their first round of secret and token rotation was not atomic, meaning the attacker may have retained access to refreshed credentials and reused them later.

Docker says the blast radius then spread to Docker Hub. According to Docker’s incident post, customers who pulled aquasec/trivy images tagged 0.69.4, 0.69.5, 0.69.6, or latest during the affected window may have exposed CI/CD secrets, cloud credentials, SSH keys, and Docker configuration data. Docker says it worked with Aqua to remove the compromised images and that the last known clean release is 0.69.3.

Why this matters

This incident shows why mutable tags remain a major supply-chain risk. Aqua says many CI/CD workflows relied on version tags rather than pinned commits, which let poisoned references keep running without obvious signs that the underlying code had changed. In practical terms, developers could run their normal Trivy jobs and still leak secrets in the background.

Docker added an important warning of its own. It said Docker Hub tags are not enough for trust on their own, and any system that ran the compromised images should be treated as exposed. Docker also noted that if a compromised Trivy image ran with the Docker socket mounted, defenders should treat the host itself as compromised because that setup gives the container deep control over the node.

Aqua says there is still no indication that its commercial products were affected. The company says its commercial platform is isolated from the compromised open-source environment, built outside GitHub, and uses separate pipelines, secrets, and controls.

What was affected

ComponentAffected versions or scopeWhat defenders should know
Trivy binaryv0.69.4Malicious release published on March 19
Trivy Docker images0.69.4, 0.69.5, 0.69.6, and latest during the affected periodRemove and rotate credentials
trivy-action76 of 77 version tags force-pushedMutable tag users may be exposed
setup-trivyAll 7 tags replacedSHA-pinned references are safer

The official advisory says the safe versions to use are Trivy v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6. Aqua also recommends blocking the attacker infrastructure tied to scan[.]aquasecurtiy[.]org and IP 45.148.10.212.

What teams should do now

  • Stop using affected Trivy images and releases immediately.
  • Move to Trivy v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6.
  • Rotate all secrets that were available to affected runners, hosts, or containers.
  • Check local image stores, registry mirrors, and artifact caches for the compromised Docker image digests.
  • Pin GitHub Actions by commit SHA instead of mutable tags wherever possible.
  • Block the known C2 domain and IP from the advisory.

FAQ

What is the core issue in this attack?

Attackers used compromised credentials to push malicious Trivy artifacts and to tamper with trusted release references, which let malware reach downstream users through normal update and CI/CD paths.

Which Trivy release is considered safe right now?

Aqua and Docker both point to v0.69.3 as the last known clean Trivy release.

Were Docker Hub and GitHub themselves breached?

The public statements say the attacker abused Aqua Security credentials and release processes. Docker says the issue was isolated to Aqua’s images, not Docker’s infrastructure or other Docker Hub images.

Did the attack hit Aqua’s commercial platform too?

Aqua says it has no indication that the versions of Trivy used within its commercial products were impacted.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages