A supply chain attack compromised 75 of 76 version tags in the official `aquasecurity/trivy-action` GitHub Actions repository, injecting an infostealer payload into a widely-used CI/CD security scanning tool. With 10,000+ workflow files referencing the action, any pipeline using unpinned version tags was potentially exposed. The attack is the second Trivy compromise in March 2026, with malicious Docker Hub images (tags 0.69.4–0.69.6) also identified.
Infrastructure
Trivy under attack again: Widespread GitHub Actions tag compromise secrets
Supply chain attack compromised 75 of 76 Trivy-action GitHub Actions tags, injecting an infostealer payload into a widely-used CI/CD security scanning tool relied on by 10,000+ workflows.
Tuesday, March 24, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
infrastructure