Cyber Incident Victim: Aqua Security
Date:
Feb 2026
Location:
Israel
Summary
Aqua Security's Trivy vulnerability scanner was compromised when attackers injected credential‑stealing malware into its official releases and GitHub Actions. The malicious code was added to the trivy‑action, setup‑trivy helper and the Trivy binary itself, and the backdoored artifacts were published to GitHub releases, Docker Hub, the GitHub Container Registry and Amazon Elastic Container Registry. When executed, the malicious binary runs the legitimate scanner and the stealer in parallel. The breach followed an earlier compromise in which a personal access token with write permissions was stolen, allowing attackers to delete releases, rename the repository and publish a malicious Visual Studio Code extension; incomplete credential rotation after that incident left some tokens usable. The initial entry point was a misconfigured GitHub Actions workflow that ran on external pull requests and had access to repository secrets. This incident adds to a series of supply‑chain attacks targeting GitHub Actions and related developer tools.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late February2026 attackers exploited a misconfigured GitHub Actions workflow that had been present in the Trivy repository since October 2025. The workflow, which runs on external pull requests, was granted access to repository secrets. Using this access the attackers stole a personal access token with write permissions, deleted existing releases, renamed the repository, and published a malicious Visual Studio Code extension. After the initial breach the Trivy maintainers rotated credentials, but the rotation was incomplete, leaving some credentials still valid. This gap allowed the attackers to regain access to the Trivy environment later in March.
On March 21 2026 the Trivy maintainers disclosed that three components of the project had been compromised: the trivy-action GitHub Action, the setup-trivy helper action, and the Trivy binary itself. Backdoored versions of these artifacts were published to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry. Analysis by Wiz researchers showed that when the malicious binary is executed it launches the legitimate Trivy scanner in parallel with credential‑stealing code. The Trivy project, maintained by Aqua Security, has over 32 000 stars on GitHub and more than 100 million downloads from Docker Hub, and is used in thousands of CI/CD pipelines.
Security firms Socket and Wiz traced the root cause of the second compromise to the incomplete credential rotation after the first breach, which enabled the attackers to reintroduce malicious commits. The same tag manipulation technique used in this incident had previously been seen in the compromise of the tj‑actions/changed‑files GitHub Action, which affected approximately 23 000 repositories a year earlier. The disclosure noted that the malware is designed to harvest the same kind of credentials that could be used to further compromise supply chains.
The Trivy incident is part of a broader trend of attacks targeting GitHub Actions and developer tooling. In 2025 the GhostAction campaign stole over 3 000 secrets from 327 GitHub users. And an attack on the nx npm package exploited a vulnerable pull_request_target workflow. These events, together with the Trivy compromise, illustrate a recurring pattern of credential theft and supply‑chain abuse via misconfigured automation.