Trivy Supply Chain Compromise via Credential Theft - Multi-Repository Malware Injection

Vulnerability Description

This incident represents a credential compromise leading to unauthorized repository access and malware distribution. Root cause: stolen credentials with write access to critical repositories and DockerHub registries. The attacker exploited this to: (1) publish malicious Trivy binaries (v0.69.4-0.69.6), (2) force-push credential-stealing malware to 76/77 version tags in trivy-action, and (3) replace all 7 tags in setup-trivy with malicious commits. The vulnerability class is supply chain compromise via identity theft, with impact spanning CI/CD pipelines, development environments, and production deployments wherever these tools are used.

Proof-of-Concept Significance

This disclosure proves the feasibility of compromising security tooling distribution channels. The attack reliability was high (immediate propagation via official channels), with minimal preconditions (only requiring credential compromise—no zero-days needed). For defenders, this PoC demonstrates that even well-maintained projects with security focus remain vulnerable to credential-based attacks. The multi-vector approach (binary releases, git tags, container registries) shows attackers understand distribution complexity and exploit all pathways simultaneously.

Detection Guidance

Log Indicators:

• Audit logs showing unexpected force-pushes to version tags (especially mass operations on 76+ tags)
• DockerHub/registry logs with uncommon push times or from unusual IP addresses
• Release pipeline triggers at atypical hours (2026-03-19 ~17:43-21:44 UTC range)
• Commits authored by trusted accounts but with suspicious messages or timing

Technical Indicators:

• Binary hash mismatches between announced vs. downloaded Trivy v0.69.4-0.69.6
• Git commit signatures missing or invalid on suspicious tags
• Container image layer differences (compare manifest SHAs from multiple registries)
• Registry logs showing pulls of malicious image versions before removal

YARA/Detection Rules Focus Areas:

• Monitor for credential-stealing malware behavioral signatures in downloaded binaries
• Track file modifications in $HOME/.config/trivy/, CI/CD caches, and Docker volumes
• Alert on unexpected process spawning from Trivy execution contexts

Mitigation Steps

1. Immediate: Invalidate and rotate all GitHub tokens/credentials with repository write access; audit DockerHub API tokens
2. Verification: Audit usage of Trivy v0.69.4, v0.69.5, v0.69.6 and trivy-action/setup-trivy between 2026-03-19 17:43 - 2026-03-22 01:40 UTC
3. Remediation: Upgrade to patched Trivy versions post-2026-03-22; re-verify binary signatures and container image SHAs against official announcements
4. Prevention: (a) Enable MFA on all package registry accounts, (b) implement commit signing enforcement, (c) use SBOM verification, (d) deploy supply chain security scanning (Snyk, Dependabot)
5. Credentials: Any credentials present in CI/CD environments affected during exposure window should be considered compromised

Risk Assessment

Likelihood of Active Exploitation: Very high—malware was live in production registries for 3-12 hours across multiple endpoints, with automatic pull mechanisms in CI/CD pipelines. Threat Actor Interest: Extreme—security tooling is high-value for lateral movement and persistence. Impact Scope: Any organization using Trivy in automated pipelines, GitHub Actions workflows, or container deployments during exposure windows faces potential credential theft and runtime compromise. This attack pattern (targeting detection/scanning tools) represents a emerging trend toward compromising the blue-team toolchain itself.