aqua-security

Your Security Scanner Was the Weapon: How the Trivy Supply Chain Attack Worked

John Z Black Mar 31, 2026

Threat Intelligence #trivy #supply-chain #github-actions #cicd #aqua-security #devsecops #secrets #sha-pinning #software-supply-chain

A threat actor hijacked 75 of 76 Trivy version tags on GitHub Actions and turned the security scanner into an infostealer targeting CI/CD secrets. This is Trivy's second supply chain hit in roughly a month.