Technology
Compromise of Trivy Vulnerability Scanner Impacts Software Development Pipelines
Hackers compromised Aqua Security's Trivy vulnerability scanner, a tool used to detect vulnerabilities in software development pipelines. The attack, which began early Thursday, involved threat actors using stolen credentials to inject malicious dependencies into multiple Trivy tags.
Aqua Security's Trivy, a widely used vulnerability scanner, has been compromised in a supply chain attack, maintainer Itay Shakury confirmed Friday. The attack involved threat actors force-pushing malicious dependencies into nearly all trivy-action tags and several setup-trivy tags. A forced push is a git command that bypasses a safety mechanism against overwriting existing commits. Security firms Socket and Wiz reported that the malware triggered in 75 compromised trivy-action tags thoroughly scours development pipelines and developer machines. The malware searches for GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens.
Key Facts
- The attack on the Trivy vulnerability scanner began early Thursday.
- Threat actors used stolen credentials to inject malicious dependencies.
- The scanner has 33,200 stars on GitHub, indicating widespread use.
- The malware hunts for GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens.
- Itay Shakury confirmed the compromise on Friday.
- Seventy-five compromised trivy-action tags triggered malware.
- Compromised versions of Trivy can expose software development pipelines.
Primary Source
Research Sources
- Ars Technica — Widely used Trivy scanner compromised in ongoing supply-chain attack