Trivy’s open-source vulnerability scanner was compromised in a supply chain attack.

Aqua Security confirmed that its Trivy open‑source vulnerability scanner was compromised in a supply‑chain attack that began in late February. Attackers used stolen credentials to push malicious Trivy releases and rewrite most trivy‑action and setup‑trivy tags with information‑stealing malware. The malware exfiltrated secrets from CI/CD environments by dumping memory from Runner processes and uploading harvested data to remote servers. Aqua reported that the attack remains ongoing, with additional unauthorized repository changes observed on March 22, though its commercial products were not affected.

Read more:

https://www.securityweek.com/aquas-trivy-vulnerability-scanner-hit-by-supply-chain-attack/