On 22 March 2026 security researchers reported that the official Trivy GitHub Actions repositories were altered to distribute malware.
The aquasecurity/trivy-action repository had 75 of its 76 version tags force‑pushed with altered code. Each tag now contains a script that runs during a GitHub Actions job, searches the runner environment for secrets such as SSH keys, cloud credentials, database passwords, Docker configuration files, Kubernetes tokens and cryptocurrency wallet files, and then sends the data to an external server.
The incident follows a prior supply‑chain attack on Trivy in February‑March 2026, where a bot used a pull_request_target workflow to steal a personal access token and publish compromised VS Code extensions.
Detection was triggered when researcher Paul McCarty noticed a new release (version 0.6.9.4) in the aquasecurity/trivy repository that behaved differently. Automated scans flagged the unexpected network traffic and the execution of unknown binaries.
GitHub has removed the malicious tags and restored the original releases. Users are advised to verify the integrity of their workflow files, pin actions to a specific SHA instead of a tag, and rotate any secrets that may have been exposed.
Key steps for remediation:
- Audit recent workflow runs for unknown outbound connections.
- Revoke and regenerate all credentials used in CI/CD pipelines.
- Update the Trivy action to the official version referenced by a commit hash.
- Enable repository‑level protection rules to prevent force pushes on tags.
Supply‑chain attacks on open‑source tooling highlight the need for strict controls around third‑party actions and continuous monitoring of the software supply chain.