🔒 Security & Privacy

The Trivy Supply Chain Ambush: How a Vulnerability Scanner Became the Attack Vector

Between March 19 and 23, 2026, threat actors compromised Aqua Security's CI/CD pipeline and poisoned Trivy images with malware. If you pulled the wrong version, your secrets are at risk.

Open Source Beat Apr 03, 2026 4 min read 17 views
Screenshot of Docker Hub with a warning banner showing compromised Trivy image versions alongside a timeline of the attack from March 19-23, 2026.

⚡ Key Takeaways

  • Attackers compromised Aqua Security's CI/CD pipeline and poisoned Trivy images on Docker Hub between March 19-23, 2026, embedding an infostealer that targeted CI/CD secrets, cloud credentials, and SSH keys. 𝕏
  • The attack was especially dangerous because Trivy is a security scanner that typically runs with elevated permissions and socket access in CI/CD pipelines, giving compromised images near-root access. 𝕏
  • You can check if you're affected by searching your local registries and artifact repositories for three specific compromised image digests; if found, remove them immediately and rotate all credentials that system could have accessed. 𝕏
Published by

Open Source Beat

Community-driven. Code-first.

#ci/cd pipeline compromise #container-security #credential rotation #docker hub security #supply-chain-attack #trivy vulnerability scanner

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Docker Blog

Related Stories

📬

Stay in the loop

The week's most important stories from Open Source Beat, delivered once a week.

No spam. Unsubscribe any time.