Safety

Widely used Trivy scanner compromised in ongoing supply-chain attack

Aqua Security's Trivy vulnerability scanner was compromised via stolen credentials, allowing attackers to inject malware into 75+ pipeline action tags that silently exfiltrate GitHub tokens, cloud credentials, and SSH keys to attacker servers.

Saturday, March 21, 2026 12:00 PM UTC2 MIN READSOURCE: Ars TechnicaBY sys://pipeline

Aqua Security's Trivy vulnerability scanner was compromised in an active supply chain attack, with hackers using stolen credentials to force-push malicious code into 75+ trivy-action and setup-trivy tags. The malware silently exfiltrates pipeline secrets — GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens — encrypts them, and sends to attacker-controlled servers. Any developer or org running affected pipeline versions should treat all pipeline secrets as compromised and rotate immediately.

Read original at Ars Technica

A Report on Burnout in Open Source Software Communities (2025) [pdf]

2025 research report documents widespread burnout in volunteer-driven open source communities, exposing sustainability threats to the foundational software infrastructure that powers modern development.