Description
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
Published: 2026-03-23
Score: 9.4 Critical
EPSS: 21.2% Moderate
KEV: Yes
Impact: Supply chain compromise leading to credential theft and malicious code execution
Action: Immediate Patch
AI Analysis

Impact

A malicious actor compromised credentials and used them to publish a malicious release of Trivy version 0.69.4, force‑push 76 of 77 tags in the aquasecurity/trivy-action repository to malware, and replace all seven tags in aquasecurity/setup‑trivy with malicious commits. This attack enabled the attacker to inject unauthorized code into users’ CI pipelines and potentially exfiltrate secrets during the credential‑rotation window. The core weakness is a supply‑chain code‑injection vulnerability (CWE-506) that allows injection of malicious code through tampered CI workflow tags. The consequence is that any pipeline relying on these tags could execute attacker‑controlled code with the same permissions as the pipeline runner, leading to credential theft, data exfiltration, and further compromise of downstream systems.

Affected Systems

Affected components include the Aquasec Trivy binary in container image version 0.69.4, the aquasecurity/trivy‑action GitHub Action versions 0.0.1 through 0.34.2 (76 of 77 tags), and the aquasecurity/setup‑trivy Action versions 0.2.0 through 0.2.5. Safe releases are Trivy 0.69.2 and 0.69.3, trivy‑action 0.35.0, and setup‑trivy 0.2.6. The CVE also lists versions 1.82.7 and 1.82.8 of the Litellm library and 4.87.1 and 4.87.2 of the Telnyx Python client as potentially affected by supply‑chain tampering, though the primary compromise centers on the Trivy ecosystem.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4 and an EPSS probability of 21 %, and it is listed in the CISA Known Exploited Vulnerabilities catalog, indicating that active exploitation is likely. Attackers exploited the supply‑chain path by pushing malicious tags under valid credentials; if a project pulled the vulnerable tags without pinning to a specific commit SHA, the action would run the attacker’s code. During the short period when compromised tokens were still active, the attacker could exfiltrate newly rotated secrets, granting persistent access. Detection relies on reviewing workflow runs from March 19–20, 2026 and inspecting for suspicious revisions or the presence of a tpcp‑docs repository. The attack vector is ultimately remote code execution triggered by tampered CI/CD artifacts, with widespread impact on any systems executing the compromised actions.

Generated by OpenCVE AI on March 30, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aquasec Trivy to a safe release (0.69.2 or 0.69.3) and upgrade or roll forward to trivy‑action 0.35.0 and setup‑trivy 0.2.6; do not use version 0.69.4 or any unvalidated tags.
  • Verify that no installations of Trivy v0.69.4 or the compromised GitHub Action tags were installed or run; remove any affected artifacts immediately.
  • Pin every GitHub Actions reference to a full, immutable commit SHA instead of a mutable version tag to prevent future tampering.
  • Rotate all secrets that may have passed through a pipeline while the vulnerable tags were active; treat any credentials accessed during the compromised period as exposed.
  • Review run logs from March 19–20 2026 for tampered commits, look for a repository named tpcp‑docs in your organization, and audit any suspicious activity.
  • For users of Litellm or Telnyx Python clients, check for any unexpected package versions and upgrade to the latest safe releases, ensuring no tampered files were pulled.
  • If the supply chain remains uncertain, disable the affected Actions from March 19–20 2026 until all pipelines are verified as clean and credentials are rotated.

Generated by OpenCVE AI on March 30, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69fq-xp46-6x23 Trivy ecosystem supply chain was briefly compromised
History

Mon, 30 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Telnyx
Telnyx telnyx
CPEs cpe:2.3:a:telnyx:telnyx:4.87.1:*:*:*:*:python:*:*
cpe:2.3:a:telnyx:telnyx:4.87.2:*:*:*:*:python:*:*
Vendors & Products Telnyx
Telnyx telnyx

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Aquasec
Aquasec setup-trivy
Aquasec trivy
Aquasec trivy Action
Litellm
Litellm litellm
CPEs cpe:2.3:a:aquasec:setup-trivy:*:*:*:*:*:*:*:*
cpe:2.3:a:aquasec:trivy:0.69.4:*:*:*:*:go:*:*
cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:*
cpe:2.3:a:litellm:litellm:1.82.7:*:*:*:*:*:*:*
cpe:2.3:a:litellm:litellm:1.82.8:*:*:*:*:*:*:*
Vendors & Products Aquasec
Aquasec setup-trivy
Aquasec trivy
Aquasec trivy Action
Litellm
Litellm litellm
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-03-26T00:00:00+00:00', 'dueDate': '2026-04-09T00:00:00+00:00'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Aquasecurity
Aquasecurity setup-trivy
Aquasecurity trivy
Aquasecurity trivy-action
Vendors & Products Aquasecurity
Aquasecurity setup-trivy
Aquasecurity trivy
Aquasecurity trivy-action

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
Title Trivy ecosystem supply chain briefly compromised
Weaknesses CWE-506
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Aquasec Setup-trivy Trivy Trivy Action
Aquasecurity Setup-trivy Trivy Trivy-action
Litellm Litellm
Telnyx Telnyx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T14:40:28.027Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33634

cve-icon Vulnrichment

Updated: 2026-03-24T15:09:41.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:31.290

Modified: 2026-03-30T18:50:38.270

Link: CVE-2026-33634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:12Z

Weaknesses