Trivy, the widely used open source vulnerability scanner by Aqua Security, was compromised for the second time in three weeks on March 19, 2026. A malicious v0.69.4 release was published containing a typosquat C2 domain (scan.aquasecurtiy.org). The GitHub Actions aquasecurity/trivy-action (compromised ~12 hours) and aquasecurity/setup-trivy (~4 hours) had credential stealers injected via imposter commits. The malware harvested GitHub Actions Runner worker memory via /proc/<pid>/mem to extract secrets, encrypted them with RSA-4096, and exfiltrated to the attacker's domain. Docker Hub images v0.69.5 and v0.69.6 were also found compromised. 45 out of 767 analyzed public repositories had confirmed compromised runs, with 5 having custom secrets (AWS, Docker Hub, GHCR tokens) directly exposed. The attacker also deleted the original incident disclosure discussion and flooded replacement discussions with spam bots. Recovery steps include scanning with the open-sourced trivy-compromise-scanner, rotating all exposed credentials, and pinning to safe versions.
Table of contents
What HappenedHarden-Runner Detected Compromised Runs in Community Tier ProjectsHarden-Runner Analysis of the Compromised setup-trivy CommitEvidence from the GitHub Events APITimelineIndicators of CompromiseWhich secrets were exposed?For the Community: Recovery StepsFor StepSecurity Enterprise CustomersCommunity Detection and Responsible DisclosureAcknowledgementReferencesSort: