Overview
- Aqua Security confirmed that attackers used compromised credentials on March 19 to publish a malicious Trivy release (v0.69.4) and force-push 75 of 76 trivy-action tags plus seven setup-trivy tags, turning common version references into delivery for an infostealer.
- Backdoored binaries appeared on GitHub Releases and major container registries before being removed, with researchers publishing indicators of compromise to help organizations hunt for abuse.
- The malware scrapes runner memory and file systems for environment variables, SSH keys, and cloud and Kubernetes credentials, then encrypts and exfiltrates data to a typosquatted domain (scan.aquasecurtiy[.]org resolving to 45.148.10.212) via a Cloudflare tunnel, with a tpcp-docs GitHub repo fallback.
- Aqua said incomplete, non-atomic secret rotation after an earlier incident likely left residual access that enabled the tag poisoning; investigation and remediation are ongoing.
- Security teams are urged to treat pipeline secrets as compromised, rotate tokens, audit workflows for tainted tags, pin Actions to commit SHAs, block the listed domain and IP, check for tpcp-docs repositories, and use safe versions (trivy 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6), with no victim breaches reported so far.