Trivy Security Scanner Just Became a Supply Chain Weapon

Aqua Security’s Trivy scanner, used by hundreds of thousands of CI/CD pipelines, was weaponized twice in three weeks. The attacker hijacked 75 GitHub Action tags,  published a malicious binary as v0.69.4,  defaced 44 internal Aqua repos,  and unleashed a self-propagating npm worm across 47+ packages. Pipelines appeared to run normally throughout.

Here’s our full impact assessment,  what happened,  and what to do now.

📖 Also read: Inline Prevention vs. Post-Attack Mitigation, Why Detection Isn’t Enough

AccuKnox Impact Assessment, What’s Safe,  What Needs Action

Action Required, Two Specific Scenarios

1. container-scan-action users on v1.0.0 If you’re running container-scan-action at exactly v1.0.0,  your environment is compromised. Upgrade immediately to any version above v1.0.0.

2. Agentless VM scanning (Terraform-provisioned), March 19–23 If your scanning VM was created using Terraform between March 19–23,  2026,  it is compromised. Rebuild the VM outside this window and revalidate all scan results from that period.

📞 Book a 30-minute remediation call, our team will walk through your specific setup and confirm there is no residual impact. Schedule here →

What This Attack Did at Scale + Supply Chain Breach Timeline

Inside the Payload, What the Malware Did

The stealer injected into the “Setup environment” step ran before legitimate Trivy logic, scans completed normally with no errors.

Five-stage execution:

1. Scan /proc/*/environ for SSH keys and environment secrets
2. Read Runner.Worker process memory via /proc/<pid>/mem,  extracting every secret marked isSecret: true
3. Sweep the filesystem for: AWS/GCP/Azure creds,  SSH keys,  K8s secrets,  Docker configs,  Terraform state,  database credentials,  crypto wallets (Solana,  Bitcoin,  Ethereum,  Cardano),  SSL private keys,  shell histories
4. Encrypt with RSA-4096 + AES-256-CBC
5. Exfiltrate, primary to scan.aquasecurtiy[.]org; fallback creates a tpcp-docs repo on the victim’s own GitHub account using the stolen INPUT_GITHUB_PAT

⚠ Lateral movement: Post-access,  attackers created new workflows in new branches to exfiltrate secrets from additional repositories. The blast radius extends beyond the first pipeline.

AccuKnox Tool to Check if Any Of Your Repos Using Trivy Are In Danger

Worried about the Trivy supply chain compromise (CVE-2026-33634)? Run AccuKnox’s open-source gh-audit tool locally to instantly see which of your repos are affected, what needs fixing, and the exact steps to remediate — all in one shot.

👉 https://github.com/accuknox/gh-audit/tree/trivy

Root Cause, Three Failures

1. Incomplete credential rotation. Aqua rotated secrets non-atomically after the first breach. Residual credentials gave the attacker a three-week window to regroup and strike harder.

2. Mutable tags trusted as immutable. Version tags like @v0.33.0 can be silently rewritten to point at any commit, no Git exploit needed,  just valid credentials. Thousands of pipelines never noticed.

3. Five years of acquisition debt. Argon-DevOps-Mgt, a service account from Aqua’s 2021 acquisition: PAT auth,  no MFA,  cross-org GitHub access. Nobody audited it because it worked. Until it didn’t.

Aqua’s own product lists CI/CD pipeline integrity,  SBOM signing,  and least-privilege DevOps enforcement as core features. This attack bypassed all three.

📖 Related: Cloud Security Strategy, Why Posture Alone Isn’t Enough

Why AccuKnox’s Architecture Blocks This Attack Class

Our core platform was unaffected for a reason, it’s built around prevention,  not detection. Here’s how each layer would have stopped this attack against any organization running AccuKnox.

1. Layer 1, Runtime enforcement (KubeArmor + eBPF) Reading /proc/<pid>/mem,  spawning Python subprocesses,  making unexpected HTTPS calls, all trigger immediate kernel-level blocking against AccuKnox’s auto-generated zero-trust baseline.
2. Layer 2, Zero-trust outbound network control A CI runner’s expected destinations are finite. AccuKnox blocks every unexpected outbound connection inline. scan.aquasecurtiy[.]org never gets a packet. See how this works in our Kubernetes security architecture overview.
3. Layer 3, CI/CD pipeline integrity AccuKnox detects imposter commits, Action tags pointing to commits that don’t belong to any branch. This is the exact pattern both trivy-action and setup-trivy used.
4. Layer 4, SBOM + artifact attestation Any deviation from signed,  attested provenance, like a tag silently pointing to a different commit, triggers an immediate policy violation before execution. Read more in our ASPM Definitive Guide.

📖 Deep dive: Runtime Security for AI Agents, Whitepaper

AccuKnox vs. Aqua Security

📄 Download the full comparison: AccuKnox vs. Aqua Security, 1-Pager PDF

Free 30-minute Remediation and Migration Assessment

Scanners detect threats after they’re inside. They can’t stop a compromised scanner from stealing secrets,  block unexpected C2 connections,  or enforce kernel-level zero-trust.

When the scanner is the attack vector,  detection-first security has already lost.

AccuKnox enforces prevention at runtime, blocking anomalous behavior before any credential leaves your environment,  regardless of what’s running in your pipeline. This is the core argument of Gen 3.0 Cloud Security: the industry is moving from detect-and-respond to prevent-and-prove.

📘 Read next: 2026 CNAPP eBook · Zero Trust Agentic AI Security · AppSec + CloudSec Unified Guide

We’ll walk through your setup,  confirm your exposure,  and get you on a runtime-first footing.

• Book now: accuknox.com/request-demo
• Compare head-to-head: AccuKnox vs. Aqua Security PDF
• Explore the platform: CNAPP · CWPP · ASPM · Kubernetes Security · AI Security
• Contact Us: [email protected]

FAQs