Trivy Supply Chain Attack: What Happened and What You Need to Know

**Open Source Security Advisory:** On March 19, 2026, attackers with retained access to Trivy's GitHub automation published a malicious Trivy binary (v0.69.4) and force-pushed multiple tags for aquasecurity/trivy-action and setup-trivy, causing CI/CD pipelines that used mutable tags to execute pre-scan malware that silently exfiltrated secrets (API tokens, cloud credentials, SSH keys, Kubernetes tokens, container registry credentials) to attacker-controlled infrastructure; the advisory includes timeline, affected components, IOCs, and immediate remediation and hardening guidance.