"The attack on Aqua Security's widely used Trivy vulnerability scanner started with the compromise of an access token in late February. Because the maintainers did not rotate all credentials and secrets simultaneously, the hackers were able to maintain access to the compromised environment."
"In the Trivy supply chain attack, now tracked as CVE-2026-33634 (CVSS score of 9.4), the hackers released malicious package versions and modified GitHub Actions tags to push information-stealing malware that would harvest credentials, keys, tokens, and other sensitive data."
"While the attack leveraged a known GitHub Actions vulnerability involving mutable tags, the incident also highlights the importance of comprehensive repository protection, strict credential management, and defense-in-depth across CI/CD systems."
TeamPCP has broadened its open source software campaign from the Trivy supply chain attack to platforms like NPM, Docker Hub, VS Code, and PyPI. The initial attack on Aqua Security's Trivy vulnerability scanner was facilitated by a compromised access token. Attackers gained write/admin access through the Argon-DevOps-Mgt service account token. The incident underscores the need for robust repository protection and credential management. Similar tactics were used in a subsequent attack on Xygeni, emphasizing the risks associated with mutable tags in repository automation.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]