- Updated: March 22, 2026
- 2 min read
Trivy Scanner Compromised: Inside the March 2026 Supply‑Chain Attack
Trivy Scanner Compromised: Inside the March 2026 Supply‑Chain Attack
The security community was shaken in March 2026 when a sophisticated supply‑chain attack targeted Aqua Security’s Trivy container image scanner and its associated GitHub Actions. The breach, detailed in a comprehensive report by Wiz, revealed how threat actors injected malicious code into the teamcpc repository, turning a trusted security tool into a conduit for credential theft and data exfiltration.
According to the investigation, the attackers first compromised a developer’s personal access token, then used it to push a back‑door into the teamcpc GitHub Action. Once the malicious action was merged, any project that incorporated the compromised Trivy Action automatically downloaded the payload during CI/CD runs. The payload performed the following actions:
- Harvested Docker configuration files and cloud provider credentials.
- Compressed the stolen data and exfiltrated it to a remote C2 server.
- Attempted to persist by creating additional GitHub secrets.
Indicators of compromise (IOCs) identified include specific SHA‑256 hashes of the malicious binaries, suspicious network traffic to 13.37.0.1, and newly created GitHub secrets named TRIVY_BACKDOOR. Organizations using Trivy should immediately audit their CI pipelines, rotate all exposed secrets, and replace the compromised GitHub Action with the official, verified version.
For a detailed timeline, technical analysis, and remediation steps, read the original Wiz report here. Additionally, explore related security resources on our site:
Stay vigilant and keep your development pipelines secure.