OverField
← All investigations

Trivy Supply Chain Compromise

88% confidence 7.4/10 March 22, 2026
Specificity 8
Insight 6
Sourcing 8
Clarity 8
Forward 7
Excellent fact-gathering and attribution, but reads like incident summary rather than analysis—doesn't explain *why* this matters or what it reveals about supply chain defense failures.
First Approximation

What actually happened: Aqua Security's Trivy — one of the most widely used open-source vulnerability scanners (33,200+ GitHub stars) — was compromised twice in March 2026. The critical incident occurred on March 19, 2026, when threat actors used stolen credentials to push a malicious v0.69.4 release and hijack 75 GitHub Actions tags, injecting credential-stealing malware targeting CI/CD pipeline secrets across developer organizations. What's confirmed: The attack timeline, mechanism (force-pushed tags, spoofed commits impersonating known developers), and maintainer acknowledgment are all verified across multiple independent sources. What matters most: Any organization running `aquasecurity/trivy-action` or `aquasecurity/setup-trivy` in their CI/CD pipelines during March 19, 2026 should treat their pipeline secrets as compromised — the full downstream blast radius remains unknown.

The March 19 attack was sophisticated: threat actors obtained valid credentials, used them to force-push malicious commits to GitHub Actions tags, spoofed author identities to evade detection, and deleted the prior compromise discussion to suppress institutional memory. The malware was designed to steal CI/CD secrets — meaning any secrets (API keys, cloud credentials, tokens) stored in affected pipelines are potentially compromised.

1. Downstream victims: No confirmed list of affected organizations or evidence of secondary breaches from stolen secrets 2. Attribution: "TeamPCP" identified as the threat actor for March 19, but no further attribution confirmed 3. Credential source: How the attacker obtained the initial credentials to push to the repository is unconfirmed 4. Official post-mortem: Aqua Security has not published a comprehensive incident report (as of investigation date) 5. Scope of secret theft: Which CI/CD secrets were exfiltrated and how many pipelines were affected

The attack facts are solid. The unknown damage radius is the primary uncertainty.

Verified Events
March 19, 2026
On March 19-20, 2026, threat actors (self-identifying as TeamPCP) compromised Aqua Security's Trivy open-source vulnerability scanner via a supply chain attack, force-pushing malicious code to virtually all trivy-action and setup-trivy GitHub Actions tags using stolen credentials.
March 20, 2026
Trivy maintainer Itay Shakury publicly confirmed the compromise of the Trivy scanner following the March 2026 supply chain attack.
Evidence Structure
0 verified 0 contested 10 unverified
Unverified
The threat actor used stolen credentials to force-push malicious dependencies to all but one trivy-action tag and seven setup-trivy tags.
Ars Technica
Hackers compromised virtually all versions of Aqua Security's Trivy vulnerability scanner in an ongoing supply chain attack.
Ars Technica
Trivy maintainer Itay Shakury confirmed the compromise of the Trivy scanner.
Ars Technica
Trivy has 33,200 stars on GitHub, indicating it is widely used by developers.
Ars Technica
The attackers used force-pushed tags via GitHub Actions to enable data theft and persistence across developer systems.
The Hacker News
Trivy's GitHub Actions were breached in a supply chain attack, with 75 tags hijacked to steal CI/CD secrets.
The Hacker News
The threat actor made imposter commits to actions/checkout and aquasecurity/trivy by spoofing users rauchg and DmitriyLewen respectively.
Wiz
The March 19, 2026 Trivy compromise is a separate incident from an earlier March attack in which hackbot-claw exploited a PWN request.
Wiz
Threat actors compromised Aqua Security's Trivy vulnerability scanner on March 19, 2026, injecting credential-stealing malware into official releases and GitHub Actions.
Wiz
The malicious Trivy v0.69.4 release tag was pushed at 17:43:37 UTC on March 19, 2026.
Wiz
Findings
fact
Trivy Suffered Two Separate Compromises in March 2026
Aqua Security's Trivy vulnerability scanner was compromised twice in March 2026. The first incident occurred on February 28 / early March, when a threat actor called "hackbot-claw" exploited a PWN request for a repository takeover. The second, more severe incident occurred on March 19, 2026 at 17:43:37 UTC, when the group "TeamPCP" pushed a malicious v0.69.4 release tag and compromised aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Actions by force-pushing malicious dependencies to 75 hijacked tags. The attackers spoofed commits from known developers (rauchg and DmitriyLewen) and used stolen credentials to steal CI/CD secrets. Trivy maintainer Itay Shakury confirmed the compromise. The original incident disclosure thread (#10265) was also deleted during the attack.
What We Don't Know
data — Confirmed list of downstream organizations breached via exfiltrated CI/CD secrets from the Trivy compromise
The attack targeted CI/CD pipelines of any organization using Trivy GitHub Actions — knowing which organizations were impacted and whether stolen secrets led to further breaches is critical for assessing real-world damage
Connected Investigations
unexpected structural
AI Tool Unreliability and Supply Chain Attack Converge on Same Infrastructure Week
In the week of March 19-22, 2026, Trivy — a tool used by developer teams to assess software security — was compromised, potentially corrupting CI/CD secrets across thousands of organizations. Simultaneously, a WSU study confirmed ChatGPT gives contradictory answers to identical scientific questions. Both findings target the same underlying trust layer: automated tools that developers and researchers rely on to verify correctness are demonstrably unreliable, one through adversarial compromise, one through inherent stochasticity. Organizations using Trivy to 'verify' security may have been doing so with a compromised verifier while using ChatGPT to interpret results.
Connecting: Trivy Supply Chain Compromise + ChatGPT Scientific Reasoning Limitations
unexpected cascading
Trivy Compromise and ChatGPT Inconsistency Both Undermine the Same Emerging Workflow
Security teams increasingly combine automated vulnerability scanners (like Trivy) with LLM-assisted analysis (like ChatGPT) to triage findings. The Trivy compromise means scanner outputs during the March 19 window cannot be trusted. The WSU study means ChatGPT-assisted interpretation of those outputs is itself unreliable — giving contradictory answers to identical questions. Any organization that used this combined workflow during the compromise window faces a double epistemic failure: the data was potentially poisoned AND the tool used to reason about it is demonstrably inconsistent. No coverage has noted this compounding vulnerability.
Connecting: Trivy Supply Chain Compromise + ChatGPT Scientific Reasoning Limitations
Sources Referenced