Trivy, the widely-used open-source vulnerability scanner by Aqua Security, was compromised a second time on March 19, 2026 — just three weeks after an initial repository takeover. A malicious v0.69.4 release was published alongside a credential-stealing payload injected into the `aquasecurity/setup-trivy` GitHub Action (commit 8afa9b9), with all version tags deleted except one pointing to a clean commit. The `trivy-action` GitHub Action remains compromised as of reporting; engineers using Trivy in CI/CD pipelines should audit for stolen credentials and pin to known-clean commits.
Safety
Trivy Compromised a Second Time - Malicious v0.69.4 Release
Aqua Security's widely-used Trivy vulnerability scanner was compromised for the second time in three weeks, with malicious v0.69.4 shipping credential harvesting inside the setup-trivy GitHub Action.
Saturday, March 21, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
safety
/// RELATED