Trivy Supply‑Chain Compromise: Malicious Releases in March 2026 Led to a 340 GB Exfiltration from the European Commission
Trivy supply-chain attack: March 19–28, 2026 compromised releases led to 340 GB exfiltration and affected Trivy binaries, GitHub Action tags, and 71 EU clients.
FACTUAL ACCURACY
- Only include information explicitly supported by the source content.
- Do not infer, assume, or generalize beyond the source.
- Do not invent features, architecture, benchmarks, or integrations.
- If a detail is uncertain or not clearly stated, omit it.
Introduction: what happened and why Trivy’s compromise matters
Trivy, the open‑source vulnerability scanner maintained by Aqua Security, became the center of a major supply‑chain security incident in March 2026 when attackers used compromised official releases to exfiltrate data. The incident—now attributed by CERT‑EU to a group called TeamPCP—turned a tool used to detect vulnerabilities in containers, filesystems, repositories and Kubernetes clusters into an attack vector that allegedly enabled the exfiltration of 340 GB of data (91.7 GB compressed) from the European Commission. The episode is notable because Trivy is widely used across enterprise CI/CD pipelines; malicious releases and rewritten Action tags propagated quickly through registries and packaging channels, exposing secrets and infrastructure to abuse.
How the compromise unfolded
The breach traces to a misconfiguration in an Aqua Security GitHub Actions workflow that leaked the token for an automation identity called aqua‑bot in late February 2026. Aqua detected the token leak and initiated a credential rotation on March 1, but that rotation was incomplete and left several keys valid. Over roughly three weeks of persistent access, TeamPCP prepared and then replaced official artifacts: they force‑pushed rewritten tags for the GitHub Action repositories and published altered Trivy binaries to public registries and packaging repositories. According to the advisory and CERT‑EU post‑mortem, malicious binaries and rewritten tags were active between March 19 and March 28, 2026, after which disclosure and remediation actions began.
Timeline of the active malicious artifacts
- Late February 2026: GitHub Actions misconfiguration leaks the aqua‑bot token.
- March 1, 2026: Aqua detects the leak and rotates credentials; rotation is incomplete, leaving persistent access.
- March 19, 2026, 17:43 UTC: TeamPCP force‑pushes and rewrites 76 of 77 tags in aquasecurity/trivy-action and seven tags in setup‑trivy; the only confirmed clean tag for the action is v0.35.0 (commit 57a97c7).
- March 19, 2026, 18:22 UTC: A malicious Trivy binary v0.69.4 is published to GHCR, Amazon ECR, Docker Hub and the official deb and rpm repositories.
- March 22, 2026, 15:43 UTC: Additional malicious binaries v0.69.5 and v0.69.6 are uploaded to Docker Hub.
- March 24–28, 2026: Detection, coordinated disclosure and token revocation take place. Days later, the leak group ShinyHunters published 340 GB of exfiltrated data.
Which Trivy artifacts and versions were affected
The advisory identifies three compromised Trivy binary versions: v0.69.4, v0.69.5 and v0.69.6; the last clean binary version noted is v0.69.3. For the GitHub Action packaging, 76 of 77 tags in aquasecurity/trivy-action were rewritten; only v0.35.0 is confirmed clean. The setup‑trivy repository tags prior to v0.2.6 are considered compromised. The advisory published by Aqua includes 27 SHA‑256 hashes that correspond to malicious artifacts and should be used for verification.
Why this attack had high impact in CI/CD environments
Trivy is commonly executed inside CI/CD runners that frequently have access to pipeline secrets. When a scanner binary or Action running in a pipeline has been tampered with, any secrets and credentials available to the runner—AWS access keys, GCP service account keys, GitHub tokens, SSH private keys, database URLs, container registry credentials, Kubernetes tokens, and KMS master keys—may be exposed. CERT‑EU’s findings indicate an API key belonging to the European Commission was exfiltrated from a CI pipeline that executed a compromised Trivy binary and was later used to access the organization’s AWS environment. The incident illustrates a broader class of supply‑chain attacks where tooling with privileged visibility becomes a high‑value target.
Public indicators of compromise to block immediately
CERT‑EU and Aqua published a set of IOCs that organizations should use to detect and block malicious activity. The public indicators include:
- A typosquatted domain used by the attackers: scan.aquasecurtiy.org (note the misspelling compared with aquasecurity.org).
- An exfiltration IP address: 45.148.10.212.
- GitHub fallback repositories matching github.com/tpcp-docs-*.
- 27 SHA‑256 hashes for malicious Trivy artifacts listed in the advisory GHSA‑69fq‑xp46‑6×23.
Security teams are advised to add these indicators to firewalls, IDS/IPS, egress filtering rules and SIEM detection logic.
Immediate response checklist for teams that ran Trivy between March 19–28, 2026
If your organization executed Trivy or the aquasecurity/trivy‑action in any pipeline during the period March 19–28, 2026, the advisory and CERT‑EU guidance recommend treating the pipeline as compromised and performing the following actions immediately:
- Verify the Trivy version in your environments with trivy –version; consider v0.69.4–v0.69.6 compromised.
- Search CI/CD workflows for references to aquasecurity/trivy-action and setup‑trivy; assume any tag other than v0.35.0 for the Action is suspect and any setup‑trivy tag older than v0.2.6 is suspect.
- Rotate all credentials that were available to runners during the impacted timeframe: AWS, GCP, Azure keys; GitHub PATs; SSH keys; container registry tokens; DATABASE_URL and other service credentials.
- Audit logs across CloudTrail, Cloud Audit Logs, GitHub audit log and SIEM for anomalous activity after March 19, including connections to the listed IOCs and unauthorized IAM or account activity.
- Verify binary checksums against the SHA‑256 hashes published by Aqua to confirm whether any stored artifacts match known malicious files.
- Rebuild and redeploy images created during the window to ensure no malicious layers persist in image registries.
A practical grep example provided by the advisory shows how to find references to the Action and Trivy commands across GitHub workflows:
- grep -rE "aquasecurity/trivy-action@(v?0.[0-9]+.[0-9]+)" .github/workflows/
- grep -rE "trivy (image|fs|repo|config)" .github/workflows/
Mitigations to harden CI/CD and reduce future supply‑chain risk
Beyond immediate remediation, the incident highlights architectural controls teams should consider when designing CI/CD systems that consume third‑party tooling:
- Adopt SLSA (Supply‑chain Levels for Software Artifacts) practices to formalize provenance and build integrity requirements.
- Prefer OIDC federated authentication for runners instead of static API keys, so tokens are ephemeral and scoped to specific workflows.
- Scope secrets temporally by employing short‑lived tokens obtained via IAM role assumption immediately prior to steps that require them.
- Sandbox security and observability tools in dedicated runners that have access only to the minimum secrets required.
- Pin external GitHub Actions to commit SHAs rather than to mutable tags—e.g., uses: aquasecurity/trivy-action@57a97c7—in order to avoid tampering via force pushes of tags.
The advisory notes that pinning by SHA is resilient to tag force‑pushes and that GitHub automation can help keep SHA pins up to date.
Temporary alternatives while assurance is pending
The advisory suggests that organizations do not necessarily need to abandon Trivy permanently, but they should evaluate alternatives while Aqua completes its post‑mortem and confirms the chain is clean. Examples of alternative scanners and commercial offerings mentioned as suitable for the same use cases include Grype (Anchore), Snyk, Clair and Anchore Enterprise. Using an alternative scanner can be a stopgap while teams verify their CI/CD supply chain and rotate credentials.
Impact metrics and scope of affected clients
Published figures in the advisory and CERT‑EU post‑mortem quantify the scale of the incident:
- 340 GB of data exfiltrated (91.7 GB compressed).
- 71 clients impacted: 42 internal entities of the European Commission and 29 external EU organizations.
- 34,570 GitHub stars on the Trivy repository at the time of the incident—underscoring Trivy’s wide adoption and the potential blast radius.
- 76 of 77 tags rewritten in aquasecurity/trivy-action.
- Three compromised binary versions: v0.69.4, v0.69.5 and v0.69.6.
- 27 SHA‑256 hashes corresponding to malicious artifacts documented in the advisory.
- Approximately three weeks of persistent access resulting from incomplete credential rotation.
Why security tooling becomes a prime target
The Trivy incident follows a recognizable pattern: tools that run within privileged contexts—observability, security scanners, CI/CD helpers—are inherently attractive targets because they can access broad environments and secrets when executed. The advisory explicitly compares the structural nature of this attack to other high‑profile supply‑chain incidents that targeted trusted tooling and update or distribution mechanisms. The lesson drawn in the advisory is not that Trivy as a project is inherently insecure, but that any tool with wide visibility into deployment environments requires stronger provenance, scoping and isolation.
Lessons and implications for Latin America and the broader industry
The advisory highlights regional implications for LATAM: banks, fintechs, e‑commerce firms and startups that run modern CI/CD pipelines likely use Trivy or similar scanners. Organizations with constrained SOC budgets must rely on rigorous secret hygiene and disciplined credential rotation to detect and limit exfiltration. The recommended immediate actions—searching GitHub Actions, checking Trivy versions, rotating credentials and analyzing logs from March 19 onward—constitute a practical checklist teams can apply this week. CERT‑EU continues to investigate and has indicated that additional IOCs and affected parties may surface; teams are advised to follow GHSA‑69fq‑xp46‑6×23 and CERT‑EU feeds for updates.
Broader implications for developers, security teams and businesses
For developers and SREs, the incident underscores the need to treat CI/CD runners and the tools they execute as part of the trust boundary. Automation identities, workflow configurations and artifact publishing processes require strict controls: token minimization, ephemeral authentication, and transparent build provenance. For security operations and incident response, the episode demonstrates that detecting supply‑chain compromises requires correlation across build systems, package registries, cloud audit trails and outbound network telemetry. Business stakeholders should recognize supply‑chain risk as an enterprise risk that can lead to significant data exposure—even when the initial compromise appears limited to a developer tool.
Practical next steps for teams who have not yet begun remediation
Teams that have not yet acted should prioritize these steps:
- Immediately search for Trivy usages in all CI/CD workflows and artifact repositories.
- Confirm whether any runners executed Trivy between March 19 and March 28, 2026; if so, assume compromise and rotate secrets.
- Compare stored Trivy artifacts to the 27 SHA‑256 hashes published in the advisory to identify known malicious binaries.
- Add the documented IOCs—scan.aquasecurtiy.org, 45.148.10.212, and the github.com/tpcp-docs-* repositories—to egress and detection rules.
- Rebuild and redeploy images created in the affected window to eliminate potential persistence in image layers.
How the industry can reduce repeat incidents
The advisory’s mitigation recommendations point to systemic changes: embrace provenance standards like SLSA, avoid long‑lived static credentials in CI, enforce minimal privilege and temporal scoping for secrets, pin external dependencies by SHA and isolate security tooling. These measures reduce the attack surface for supply‑chain compromise and improve the ability to detect anomalous activity quickly. Vendors and project maintainers should also harden their release processes to prevent token leakage and enforce stricter controls on automation identities.
The attack on Trivy is a reminder that tooling designed to protect systems can, if compromised, become the means of their subversion. The industry should respond by treating build provenance, ephemeral authentication, and minimal‑access execution environments as first‑class security controls within development and operations toolchains.
Looking forward, expect additional technical details and IOCs as CERT‑EU and Aqua finalize the post‑mortem and update the advisory GHSA‑69fq‑xp46‑6×23; security teams should maintain subscriptions to those feeds and keep tracking changes to the published artifact hashes and indicators. Maintaining vigilance around CI/CD tooling, applying the mitigations noted here, and treating supply‑chain risk as an ongoing operational concern will be central to limiting the impact of similar incidents in the months ahead.
