Trivy Scanner Compromised in Major Supply-Chain Attack
▼ Summary
– Hackers have compromised nearly all versions of the widely used Trivy vulnerability scanner in a supply chain attack.
– The attackers used stolen credentials to force-push malicious code into the project’s tags, overriding safety mechanisms.
– The malware searches development pipelines for secrets like cloud credentials and SSH keys, then exfiltrates them.
– Any CI/CD pipeline using a compromised Trivy version executes this malicious code as soon as a scan runs.
– Users are advised to treat all pipeline secrets as compromised and rotate them immediately if they ran a bad version.
A significant supply-chain attack has compromised nearly all versions of the popular Trivy vulnerability scanner, a critical tool used by developers to identify security flaws in software pipelines. Maintainers at Aqua Security confirmed the breach, which began early Thursday, after attackers used stolen credentials to force malicious code into almost every available version tag. This incident poses a severe risk to countless development environments and the organizations relying on them, highlighting the pervasive dangers within modern software supply chains.
The attackers executed a forced push in the project’s Git repository, a command that overrides standard protections to replace existing code commits. Trivy, which boasts over 33,200 stars on GitHub indicating its widespread adoption, is designed to scan for vulnerabilities and exposed secrets during software development and deployment. The malicious update injected harmful dependencies into all but one of the `trivy-action` tags and seven `setup-trivy` tags. If you suspect your pipeline ran a compromised version, you must treat all associated secrets as compromised and rotate them immediately, warned Itay Shakury, the project maintainer.
Security analyses from firms like Socket and Wiz reveal the malware’s dangerous capabilities. Triggered within 75 compromised tags, the malicious code conducts a comprehensive search of development pipelines and connected developer machines. It actively harvests sensitive data, including GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens. Any secrets it discovers are encrypted and exfiltrated to a server under the attacker’s control.
The consequence is that any continuous integration or deployment (CI/CD) pipeline utilizing software that references the compromised tags will execute this malicious code as soon as a Trivy scan initiates. Among the spoofed version tags are commonly used releases like @0.34.2, @0.33, and @0.18.0. Currently, version @0.35.0 appears to be the sole unaffected release. This attack underscores how a single compromised tool in the development chain can jeopardize entire software ecosystems, demanding urgent scrutiny of pipeline security and dependency management.
(Source: Ars Technica)
