Last updated 4 weeks ago
Aqua Security, a cloud-native security provider, experienced a supply chain attack targeting its open-source Trivy vulnerability scanner in March 2026. The attack compromised CI/CD workflows to deploy an infostealer designed to harvest sensitive credentials and secrets from development environments.
The confirmed attack chain involved the threat actor compromising the Trivy security tool to inject malicious code into CI/CD pipelines. The infostealer targeted cloud credentials, SSH keys, authentication tokens, and other sensitive secrets stored within development and deployment systems. The attack exploited trust in widely-used security scanning tools to gain access to critical infrastructure credentials.
Aqua Security has released updated versions of Trivy with the malicious code removed and is working with affected organizations to rotate compromised credentials. The company has implemented additional security controls for its open-source projects and is conducting a comprehensive security review of its development and distribution processes.
Threat actor compromised the open-source Trivy vulnerability scanner to deploy an infostealer into CI/CD workflows
This breach demonstrates that even security tools themselves can become attack vectors when compromised through supply chain attacks. Organizations must implement additional verification layers for security tools in CI/CD pipelines, including code signing verification and runtime behavior monitoring. The incident highlights the critical need for credential rotation capabilities and secrets management solutions that can quickly respond to credential exposure events.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector