John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The tool you use to scan your containers for vulnerabilities spent about twelve hours stealing your secrets. That’s the short version.
Between March 19 at 17:43 UTC and March 20 at 05:40 UTC, a threat actor with compromised Aqua Security developer credentials poisoned 75 of the 76 existing version tags on the Trivy GitHub Actions. Force-push lets you rewrite a tag to point to different code. Anyone whose CI pipeline referenced a version tag, which is almost every pipeline using Trivy, was pulling the malicious version.
The payload was an infostealer built specifically for CI/CD environments. SSH keys, AWS/GCP/Azure credentials, database configs, Kubernetes service account tokens. Not random files. The exact credential types that give you lateral movement and cloud access.
Exfiltration went to scan.aquasecurtiy[.]org. One transposed letter. Designed to blend into traffic that’s already talking to Aqua’s real infrastructure.
The piece that makes this worse than a bad CI run: on developer machines, the malware installed a systemd service. It survives reboots. If you ran Trivy locally during that window, the service may have still been active long after you updated your Trivy version.
This is also the second Trivy supply chain compromise in roughly four weeks. Different attacker, different technique. Two separate actors in one month targeting the same widely-used security tool. That’s not coincidence. Tools with access to CI runners have access to everything worth scanning. That’s why they’re targets.
On SHA pinning: the standard advice is to pin GitHub Actions to a version tag. This attack shows why that’s not enough. Tags are mutable. Commit hashes aren’t. Pin to the SHA.
If your pipelines ran Trivy in that window, treat it as a confirmed credential compromise and rotate everything.