Aqua Security’s Trivy Scanner Compromised in Supply Chain Attack

A supply-chain attack on Aqua Security's open-source Trivy scanner (late Feb–Mar 2026) leveraged a GitHub Actions misconfiguration and compromised credentials to force-push malicious commits and publish a backdoored Trivy binary (v0.69.4). The backdoor ran before legitimate scans to collect and exfiltrate CI/CD secrets (cloud creds, API tokens, SSH/K8s tokens, Docker config); remediation included credential rotation, removal of malicious releases, and deleting/repointing compromised tags, though the actor retained residual access and the campaign remains active. IOCs (domains, IPs, C2 endpoints, compromised binary and tags) are provided for hunting and containment.