From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise

CrowdStrike uncovered a widespread compromise of the aquasecurity/trivy-action GitHub Action in which attackers repointed git tags to inject a stealthy multi-stage credential stealer into the action's entrypoint; the payload harvests secrets from runners and self-hosted systems, encrypts them with AES-256 and an embedded RSA key, and exfiltrates via a typosquatted domain or by creating GitHub release assets, while also installing a quiet loader that polls a C2 on the Internet Computer — 76 of 77 release tags were found compromised, creating a high-impact supply-chain credential-theft threat.