Potential Risk of CVE

About Trivy: Closer Look what is happen through CI/CD Ecosystems. Staying alert! (31st Mar 2026)

Leave a comment

Preface: According to Mandiant, over a thousand SaaS environments have been impacted by ongoing supply chain compromises of Aqua Security’s open-source scanner Trivy, and researchers predict that the impact may grow by an order of magnitude.

Researchers have since reported multiple downstream attacks enabled by the compromise, possibly via implementations of Trivy. Sysdig observed the TeamPCP infostealer deployed in a GitHub action belonging to another software supply chain security developer, Checkmarx. Aikido Security reported attacks targeting the npm ecosystem and Kubernetes, spreading a persistent Python backdoor through “CanisterWorm,” which steals npm tokens to propagate itself through developers’ packages.

Background: Trivy is a popular open-source vulnerability and security scanner maintained by Aqua Security. Trivy is a “universal” scanner that consolidates multiple security checks into a single tool:

  • Vulnerability Scanning: Detects known vulnerabilities (CVEs) in operating system packages (e.g., Alpine, RHEL, Ubuntu) and language-specific dependencies (e.g., npm, pip, Go modules).
  • Misconfiguration Detection: Scans Infrastructure as Code (IaC) files like Terraform, Dockerfiles, Kubernetes manifests, and CloudFormation to find security flaws.
  • Secret Scanning: Identifies hardcoded sensitive information such as passwords, API keys, and tokens within code or container images.

Closer Look of Trivy design weakness:

The Mechanism: In Git, version tags (like @v1 or @v0.24.0) are mutable, meaning they can be reassigned to a different commit. The attackers used compromised credentials to “poison” 76 out of 77 existing version tags for trivy-action, pointing them to a new, malicious commit that contained a credential stealer.

The “Design Weakness”: Because pipelines are usually configured to pull the latest version of a tag automatically, thousands of organizations executed the malicious code without any changes to their own workflow files.

Official details: Please refer to the link for details  – https://nvd.nist.gov/vuln/detail/CVE-2026-33634

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.