Trivy ecosystem supply chain briefly compromised
TL;DR Highlight
Popular open-source vulnerability scanner Trivy suffered a supply chain attack on March 19, 2026 — malicious binaries distributed and 76 GitHub Actions tags replaced with credential-stealing malware. A wake-up call given that the security tool itself was the attack target.
Who Should Read
DevSecOps engineers and backend developers using Trivy to scan container images or code for vulnerabilities in CI/CD pipelines — especially teams using aquasecurity/trivy-action or aquasecurity/setup-trivy in GitHub Actions.
Core Mechanics
- The attack compromised Trivy's official GitHub releases and replaced 76 Git tags pointing to GitHub Actions with malicious versions containing credential-stealing code.
- The malicious code targeted CI/CD environment variables — specifically cloud provider credentials, API keys, and secrets stored in GitHub Actions secrets.
- Since many pipelines reference Trivy Actions by tag (e.g., @v0.20.0) rather than commit hash, they automatically pulled the malicious version on the next run without any code changes.
- The attack was discovered relatively quickly, but any pipeline that ran Trivy Actions between the attack and the fix may have had credentials exfiltrated.
- Mitigation: immediately rotate any secrets that were accessible in pipelines running Trivy Actions, and pin all GitHub Actions to specific commit SHAs rather than tags.
Evidence
- The Aqua Security team published a detailed incident report confirming the attack vector, the scope (76 tags), and the timeline.
- Security researchers noted this follows a well-established pattern: attackers target trusted security tools specifically because they have broad access and are used in privileged CI/CD contexts.
- Several teams shared postmortems in the comments, with some discovering they'd rotated credentials only to find the attacker had already used them in the hours between compromise and rotation.
- The broader discussion centered on the GitHub Actions security model — tag pinning vs. SHA pinning is a known security gap that this incident made viscerally real for many teams.
How to Apply
- Immediately: if your pipelines used aquasecurity/trivy-action or aquasecurity/setup-trivy in the affected window, rotate all secrets those pipelines had access to.
- Switch all GitHub Actions references from tag-based (e.g., @v1.2.3) to SHA-based (e.g., @abc123def...) pinning. Tags are mutable; commit SHAs are immutable.
- Implement automated dependency scanning for your GitHub Actions workflows — tools like Dependabot or StepSecurity's Harden-Runner can flag outdated or compromised Actions.
- Apply least-privilege to CI/CD secrets: pipelines that only need read access shouldn't have write credentials. Compartmentalize so a single compromised pipeline can't access all secrets.
Code Example
# Unsafe approach (using tags - vulnerable to attacks)
- uses: aquasecurity/trivy-action@master
- uses: aquasecurity/trivy-action@v0.34.0
# Safe approach 1: Use patched version tag
- uses: aquasecurity/trivy-action@v0.35.0
# Safe approach 2: Pin to SHA hash (most recommended)
# First, check the commit SHA: https://github.com/aquasecurity/trivy-action/commits/main
- uses: aquasecurity/trivy-action@<full-commit-sha>
# Reference container images by digest (defends against tag substitution attacks)
# Using tag (vulnerable)
docker pull aquasecurity/trivy:0.69.4
# Using digest (safe)
docker pull aquasecurity/trivy@sha256:<digest>
# Check installed trivy version
trivy --version
# output: Version: 0.69.4 -> immediate replacement required in this case
# output: Version: 0.69.3 -> safeTerminology
Related Papers
What happened after 2k people tried to hack my AI assistant
실제로 6,000개 이상의 이메일로 AI 에이전트에 prompt injection 공격을 시도한 공개 실험 결과로, Claude Opus 4.6이 비밀 파일 유출을 한 번도 허용하지 않았지만 실험 설계의 현실성에 대한 논란이 뜨거웠다.
When Does Combining Language Models Help? A Co-Failure Ceiling on Routing, Voting, and Mixture-of-Agents Across 67 Frontier Models
여러 LLM을 조합해도 '모든 모델이 동시에 틀리는 비율(β)'이 성능 상한선이며, 업계가 쓰는 pairwise 상관계수(ρ)는 이 상한선을 예측하지 못한다.
Beyond Function Calling: Benchmarking Tool-Using Agents under Tool-Environment Unreliability
실제 환경처럼 API가 망가지거나 결과가 이상할 때 LLM 에이전트가 얼마나 잘 버티는지 측정하는 벤치마크 ToolBench-X 공개.
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
6,038개의 LG·Samsung 스마트 TV 앱을 스캔했더니 2,058개에서 사용자의 IP를 몰래 팔아 트래픽을 중계하는 Residential Proxy SDK가 발견됐다. TV는 컴퓨터처럼 감시받지 않아서 프록시 호스트로 거의 이상적인 환경이다.
Prompt Injection as Role Confusion
LLM이 시스템 프롬프트, 사용자 입력, 툴 출력을 구분하지 못하는 구조적 결함이 prompt injection의 근본 원인이라는 ICML 2026 논문으로, 현재 LLM 보안 아키텍처의 한계를 명확히 분석한다.
GPT-5.5 hallucinates 3x more than MIT-licensed GLM-5.2
모델 크기가 커질수록 성능이 좋아진다는 통념에 반해, 오픈소스 753B 모델 GLM-5.2가 추정 1~2T 규모의 GPT-5.5보다 환각 비율이 3배 낮다는 벤치마크 결과가 나왔다. 단순히 파라미터 수와 벤치마크 점수만으로 모델을 선택하면 실제 업무에서 낭패를 볼 수 있다는 경고다.