Update: Ongoing Investigation and Additional Activity

A supply-chain compromise of the open-source Trivy project and associated GitHub Actions was used to publish malicious releases and tamper with version tags, enabling an attacker to run code in downstream CI/CD pipelines that exfiltrated secrets (API tokens, cloud credentials, SSH/Kubernetes keys, etc.). The advisory details the timeline (initial token theft, tag force-pushes, malicious trivy v0.69.4 release), provides remediation steps (update to known-safe versions, rotate secrets, audit workflows, pin actions to SHAs), and lists IOCs and containment actions.