Trivy Compromised Again: 75 GitHub Actions Tags Hijacked
Trivy, the popular open-source vulnerability scanner maintained by Aqua Security, has been compromised for a second time within a single month — this time with attackers hijacking 75 GitHub Actions tags to deliver malware designed to steal sensitive CI/CD pipeline secrets.
The latest compromise targeted two GitHub Actions repositories:
aquasecurity/trivy-action— the official GitHub Action for running Trivy scans in CI workflowsaquasecurity/setup-trivy— the action used to install and configure Trivy
Both repositories are widely trusted by the security community and used in thousands of CI/CD pipelines across organizations of all sizes, making this a high-impact supply chain attack.
The incident was reported by The Hacker News on March 20, 2026.
What Happened
Attackers gained access to the Aqua Security GitHub Actions repositories and modified 75 tags — version references commonly pinned in workflow files using syntax like uses: aquasecurity/trivy-action@v0.29.0. By hijacking these tags to point to malicious commits, any CI/CD pipeline that triggered a workflow run during the compromise window would have executed attacker-controlled code with full access to the runner environment.
The attack is significant for several reasons:
- Tag poisoning is particularly insidious because pinning to a tag (rather than a commit SHA) provides no integrity guarantee
- CI/CD runners have access to secrets — tokens, API keys, cloud credentials, and deployment keys are routinely injected into GitHub Actions environments
- Security-focused workflows often run with elevated permissions to scan infrastructure and container registries
- This is the second compromise in a month, suggesting either a persistent attacker or an unresolved access control weakness
What Was Stolen
The malware delivered via the hijacked tags was designed to exfiltrate CI/CD secrets from the runner environment. In a typical GitHub Actions workflow, this can include:
| Secret Type | Risk |
|---|---|
GITHUB_TOKEN | Access to repository operations, package publishing |
| Cloud provider credentials (AWS, GCP, Azure) | Infrastructure takeover |
| Container registry tokens | Malicious image publishing |
| Deployment keys | Production environment access |
| API keys (third-party services) | Service account compromise |
| Code signing certificates | Trusted malware distribution |
| Database credentials | Data exfiltration |
Organizations whose CI/CD pipelines used either affected action during the compromise window should assume all secrets exposed to those workflows are compromised.
Scope of the Attack
How Many Pipelines Were Affected?
aquasecurity/trivy-action is one of the most-used security scanning actions on GitHub Marketplace, with downloads in the millions across the GitHub Actions ecosystem. The scale of downstream exposure is potentially enormous, spanning:
- Enterprise security teams running container vulnerability scans
- Open-source projects with security-focused CI pipelines
- Managed security service providers with shared scanning infrastructure
- DevSecOps platforms that bundle Trivy as a scanning component
Second Breach in a Month
This is the second Trivy supply chain compromise in approximately 30 days. The recurrence raises serious questions about:
- Root cause analysis from the first incident — whether it was fully remediated
- Persistence mechanisms the attacker may have maintained between incidents
- Access control posture for the Aqua Security GitHub organization
- Whether the two incidents share the same threat actor or attack vector
Protecting Your Pipelines
Immediate Actions
- Pin to commit SHAs, not tags — replace all
uses: aquasecurity/trivy-action@<tag>with the full commit SHA for the version you trust:
# Vulnerable (tag can be moved by an attacker)
- uses: aquasecurity/trivy-action@v0.29.0
# Secure (commit SHA cannot be changed)
- uses: aquasecurity/trivy-action@abc123def456... # full 40-char SHA- Rotate all CI/CD secrets exposed in any workflow using the affected actions during the compromise window
- Audit GitHub Actions workflow run logs for unexpected network connections, file writes, or environment variable access patterns
- Check for unauthorized deployments or published packages that may have used stolen credentials
Longer-Term Hardening
# Use least-privilege GITHUB_TOKEN permissions
permissions:
contents: read # Only grant what's needed
# Use environment secrets with approval gates for sensitive operations
environment: production
# Audit all third-party actions in use
# Consider self-hosting critical actions in your own org- Enable secret scanning on all repositories using GitHub's built-in secret scanning or tools like TruffleHog
- Implement OIDC for cloud auth instead of storing long-lived cloud credentials as secrets:
# AWS OIDC — no static credentials needed
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/github-actions-role
aws-region: us-east-1- Monitor for unexpected package publishes — if build pipelines have npm/PyPI/Docker publish access, review publish history for unauthorized releases
Supply Chain Attack Pattern
This incident fits a well-established pattern of developer tooling supply chain attacks that have intensified through 2025-2026:
| Incident | Method | Impact |
|---|---|---|
| Trivy (this incident) | GitHub Actions tag hijacking | CI/CD secret theft |
| Glassworm (March 2026) | VS Code extension poisoning | Developer credential theft |
| Cline CLI OpenClaw (Feb 2026) | npm package tampering | AI agent secret exfiltration |
| UNC6426 nx/npm (March 2026) | npm package supply chain | AWS admin credential theft |
Security tools are high-value targets because they run with elevated permissions, are trusted implicitly, and are deeply embedded in the most sensitive parts of the software development lifecycle.
Trivy Alternatives to Consider
Organizations evaluating supply chain risk may consider diversifying or substituting scanning tooling:
| Tool | Type | Notes |
|---|---|---|
| Grype (Anchore) | Container/filesystem scanner | Active community, GitHub Actions available |
| Snyk | SAST + SCA + container | Commercial with free tier |
| Syft + Grype | SBOM generation + scanning | Open-source, minimal supply chain footprint |
| Semgrep | SAST | Code-focused, widely trusted |
Regardless of which tool is used, pinning to commit SHAs remains the single most important mitigation for GitHub Actions supply chain risk.
Key Takeaways
- Trivy's GitHub Actions were compromised a second time in a month, with 75 tags hijacked to deliver CI/CD secret-stealing malware
- Any pipeline using
aquasecurity/trivy-actionoraquasecurity/setup-trivyduring the window should rotate all CI/CD secrets immediately - Pinning to commit SHAs instead of tags is the fundamental defense against tag-hijacking supply chain attacks
- CI/CD pipelines represent a critical attack surface — security tooling in particular runs with elevated trust and access
- The repeat compromise raises questions about persistent attacker access or unresolved vulnerabilities in Aqua Security's GitHub posture
- Organizations should audit all third-party GitHub Actions in their workflows and apply the principle of least privilege to all pipeline permissions