Technology
Trivy vulnerability scanner compromised in supply chain attack, secrets at risk
Hackers compromised multiple versions of Aqua Security's Trivy vulnerability scanner, a tool used by developers to detect vulnerabilities. The attack, which began early Thursday, could have significant consequences for developers and organizations using the scanner.
Aqua Security's Trivy, a widely used vulnerability scanner, was compromised in a supply chain attack, confirmed Friday by Trivy maintainer Itay Shakury. The attack involved threat actors using stolen credentials to force-push malicious dependencies to almost all trivy-action tags and several setup-trivy tags. A forced push is a git command that overrides a safety mechanism against overwriting existing commits. Trivy helps developers find vulnerabilities and inadvertently hardcoded authentication secrets in software development pipelines. Security firms Socket and Wiz reported that the malware triggered by the compromised tags thoroughly scours development pipelines and developer machines.
Key Facts
- The attack on the Trivy vulnerability scanner began early Thursday.
- Attackers used stolen credentials to insert malicious dependencies into Trivy.
- The compromised scanner has 33,200 stars on GitHub, indicating widespread use.
- Seventy-five compromised trivy-action tags triggered malware.
- The malware searches development pipelines for GitHub tokens and other credentials.
- Compromised versions of Trivy can expose cloud credentials and SSH keys.
- Itay Shakury advises users who suspect compromise to rotate all pipeline secrets immediately.
Primary Source
Research Sources
- Ars Technica — Widely used Trivy scanner compromised in ongoing supply-chain attack