Home / Technology / Hackers Hijack Trivy Scanner: Dev Pipelines at Risk
Hackers Hijack Trivy Scanner: Dev Pipelines at Risk
21 Mar
Summary
- Attackers force-pushed malicious dependencies to Trivy tags.
- Compromised versions exfiltrate sensitive data from dev pipelines.
- Attack stems from a prior compromise of Trivy's GitHub credentials.
A significant supply chain attack has compromised Aqua Security's Trivy vulnerability scanner, impacting its widespread use among developers. Threat actors successfully force-pushed malicious dependencies to numerous Trivy version tags, overriding crucial safety mechanisms. This malicious code actively searches development pipelines and developer machines for sensitive information such as GitHub tokens, cloud credentials, and SSH keys.
The attackers, identifying as Team PCP, exploited residual access from a prior compromise of Trivy's GitHub account credentials. Instead of typical repository poisoning, they used a stealthier method of force-pushing existing tags to malicious commits. This tactic allowed the compromise to bypass many standard security defenses.
Security firms Socket and Wiz reported that the malware executes legitimate Trivy functions alongside its data-stealing activities. It exfiltrates gathered secrets to an attacker-controlled server, potentially causing severe fallout for organizations relying on the scanner. Maintainers have since worked to remove malicious artifacts, but users are urged to treat all pipeline secrets as compromised and rotate them immediately.
