Summary

A recent supply chain incident involving Trivy resulted in the distribution of a malicious release v0.69.4 after attackers compromised the project’s release process via GitHub. The attacker manipulated Git tags to point to unauthorized code, effectively bypassing normal trust assumptions tied to versioned releases. This event follows an earlier Trivy-related security issue but represents a distinct and more targeted attack on release integrity, where users consuming tagged versions were exposed to tampered artifacts. It is important to note that this has been reported as being actively exploited.

Affected Systems and/or Applications

• Aqua Security Trivy

Systems installing or upgrading to:

• Trivy v0.69.4 (malicious release)

CI/CD pipelines relying on:

• GitHub tags (e.g., v0.69.4)
• Automated dependency updates or container builds

Developer environments consuming:

- GitHub releases without signature validation

Technical Details

Vulnerability Mechanism

The attackers exploited control over the repository’s release process, specifically the ability to manipulate Git tags and associated release artifacts. By reassigning the trusted version identifier v0.69.4 to malicious code, they were able to bypass traditional trust mechanisms that rely on semantic versioning and tagged releases. This allowed the malicious version to appear legitimate to both users and automated systems without requiring changes to the visible development workflow or source code review process.

Observed Exploitation Path

After obtaining sufficient access to the repository, the attacker modified the Git tagging structure to introduce or overwrite the v0.69.4 tag, pointing it to a malicious commit outside the expected code lineage. This effectively weaponized the tag itself, transforming it into a delivery mechanism for attacker-controlled code while retaining the appearance of a valid release.

With the tag in place, the attacker ensured that a corresponding GitHub release was available and associated with the compromised tag. This release contained malicious binaries that, when executed, performed unauthorized data exfiltration activities. Specifically, the binaries attempted to collect sensitive information from the execution environment, including environment variables, configuration data, and authentication tokens, and transmit this data to attacker-controlled infrastructure.

The malicious binaries are particularly dangerous in CI/CD environments, where Trivy is commonly executed with access to:

• Repository contents
• CI secrets (e.g., API keys, tokens)
• Cloud credentials exposed as environment variables

Upon execution, the payload leveraged this access to extract available sensitive data and initiate outbound network connections to exfiltrate it. Because these actions occurred within legitimate pipeline executions, they could blend in with normal network activity and evade immediate detection.

The success of the attack relied heavily on downstream automation. CI/CD pipelines and developer workflows that referenced v0.69.4, either through GitHub Actions (uses: aquasecurity/[email protected]) or direct Git operations, automatically retrieved and executed the compromised version. This meant the attacker did not need to directly target individual systems; instead, they leveraged existing update mechanisms to propagate the malicious code broadly and efficiently.

Once executed, the compromised Trivy binary operated within highly trusted contexts such as build pipelines and security scanning processes. In these environments, the tool often has broad access to sensitive data, significantly increasing the potential impact of the exfiltration behavior.

Mitigation

Limit Exposure

• Avoid using unverified Git tags in CI/CD (e.g., @v0.69.4)
• Enforce:
  
  • Tag protection rules in GitHub
  • Restricted permissions for release/tag creation
• Require commit SHA pinning instead of tag-based references where possible

Patch/Upgrade

• Do NOT use Trivy v0.69.4
• Upgrade to a known-good version released after the compromise
• Re-download Trivy binaries from trusted and verified sources
• Validate releases using:
  
  • Checksums
  • Cryptographic signatures (e.g., cosign/Sigstore)

Actions if Usage Was Confirmed

If v0.69.4 was used in any capacity:

• Treat affected systems as potentially compromised
• Rotate:
  
  • CI/CD secrets
  • API tokens
  • Credentials accessible during Trivy execution
• Rebuild affected environments from trusted sources
• Audit:
  
  • Build pipelines
  • Developer workstations
• Revalidate all artifacts produced during the exposure window

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and this advisory will be updated if required, or when more information is made available.

References

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release‍

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

‍