Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

A threat actor compromised Aqua Security’s Trivy open source vulnerability scanner in a supply chain attack that started in late February.

On March 1, Trivy’s maintainers announced that the scanner’s GitHub repository had been compromised in an attack involving a GitHub Actions workflow issue. Some releases were deleted, and malicious versions of the application’s VS Code extensions were published to the Open VSIX marketplace.

The attack was part of a larger, automated attack campaign that hit multiple open source repositories via GitHub Actions workflows and resulted in a large natural-language prompt being injected into two malicious versions of Trivy’s VS Code extension.

Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.

“Following the initial disclosure on ...