TP-2026-0024 critical AI Draft C

Trivy Supply Chain Compromise Hits GitHub Actions and Container Releases (CVE-2026-33634)

Date March 19, 2026
Attack Type supply-chain Sector Technology / Open Source
Geography Global
Threat Actor Unknown
Attribution A6
CVEs CVE-2026-33634
Confidence C

Summary

On March 19, 2026, Aqua Security disclosed that a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action, and replace all seven aquasecurity/setup-trivy tags with malicious commits. The GitHub security advisory later added a second event on March 22, when the attacker used separately compromised Docker Hub credentials to publish malicious aquasec/trivy:0.69.5 and 0.69.6 images.

The incident mattered because it targeted trusted CI/CD and developer distribution paths rather than a single downstream environment. Aqua and the Canadian Centre for Cyber Security both warned that organizations using the affected versions should treat accessible pipeline secrets as potentially exposed and move to the safe releases immediately.

Technical Analysis

The confirmed compromise surface covered three distinct Trivy distribution channels: the core Trivy binary release, the trivy-action GitHub Action, and the setup-trivy GitHub Action. Aqua’s incident discussion said the March 19 activity followed an earlier credential compromise that had not been fully contained, while Microsoft’s incident analysis described the later malicious releases as the execution phase of that broader supply-chain intrusion.

The attack worked because many CI/CD workflows trusted mutable release tags and automated download channels. GitHub’s advisory and Aqua’s incident notes both said the attacker redirected trusted version tags to malicious commits, which meant existing workflow references could execute attacker-controlled code without any visible workflow-file change. Aqua separately said the Docker Hub images 0.69.5 and 0.69.6 were published with different compromised credentials than the GitHub-side releases.

Public advisories do not require a broader downstream victim narrative to establish severity. The source-backed facts are enough: affected workflows and developer environments could execute malicious Trivy artifacts, and Aqua said any secrets available to those environments should be considered exposed if the compromised versions ran during the documented exposure windows.

Attack Chain

Stage 1: Credential Reuse

The attacker retained or regained access to credentials tied to Trivy release and automation workflows. Aqua said the earlier containment process was incomplete, and Microsoft described the March 19 activity as reuse of access from a prior incident that had not been fully remediated.

Stage 2: Trusted Distribution Tampering

Using those credentials, the attacker published a malicious Trivy v0.69.4 release and rewired trusted GitHub Action tags for trivy-action and setup-trivy to malicious commits. On March 22, the attacker also published malicious Docker Hub images for Trivy 0.69.5 and 0.69.6.

Stage 3: Workflow or Developer Execution

Organizations that referenced affected action tags or downloaded the compromised Trivy releases executed attacker-controlled code through normal CI/CD or developer workflows. SHA-pinned action references and container image digests materially reduced exposure because they were not redirected by mutable tags.

Stage 4: Secret Exposure and Follow-on Risk

Once the malicious artifacts ran, the main risk shifted to exposed credentials and tokens inside runner or developer environments. Aqua’s guidance was to assume secrets available to affected environments were compromised and rotate them accordingly.

Impact Assessment

The incident created a global software supply-chain risk because Trivy and its GitHub Actions are widely used in build, scan, and release pipelines. GitHub’s advisory documented exposure windows of about three hours for Trivy v0.69.4, about twelve hours for trivy-action, about four hours for setup-trivy, and about ten hours for the malicious Docker Hub images.

For affected organizations, the practical impact was potential credential exposure rather than a guaranteed confirmed breach. Aqua’s response guidance focused on rotating pipeline secrets, auditing workflows and pull history for affected versions, and replacing mutable references with safe versions or immutable SHAs. That is the narrow, defensible impact statement supported by the vendor and government advisories.

Attribution

The Aqua and GitHub advisories describe a threat actor using compromised credentials, but they do not establish a confirmed public actor identity for the Trivy compromise itself. Microsoft later attributed the broader campaign activity it tracked to a threat actor identifying as TeamPCP, but that attribution sits in a wider campaign analysis rather than in Aqua’s primary incident disclosure.

Because the strongest primary sources for this incident stop short of a vendor-confirmed actor identity, the actor field remains Unknown and the attribution claim stays limited to the broader investigation discussed by Microsoft.

Timeline

2026-03-19 - Event

Aqua observed malicious publication of Trivy v0.69.4 and malicious tag rewrites affecting trivy-action and setup-trivy.

2026-03-20 - Event

Aqua published incident guidance, listed exposure windows, and instructed users to move to safe releases and rotate secrets if affected artifacts had run.

2026-03-21 - Event

The GitHub security advisory GHSA-69fq-xp46-6x23 was published for the Trivy ecosystem compromise.

2026-03-22 - Event

The attacker used separately compromised Docker Hub credentials to publish malicious Trivy 0.69.5 and 0.69.6 images.

2026-03-26 - Event

The Canadian Centre for Cyber Security published advisory AV26-283, confirming active exploitation and the affected Trivy components.

Remediation & Mitigation

Move immediately to the safe versions named in the advisory set: Trivy v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6. For container use cases, verify image provenance and prefer trusted digests over mutable tags when possible.

If any affected artifact ran during the exposure windows, treat secrets available to that environment as compromised. Aqua specifically advised rotating pipeline secrets immediately and reviewing workflow runs that referenced trivy-action, setup-trivy, or the affected Trivy releases during the documented windows.

The longer-term mitigation lesson is to reduce trust in mutable distribution references. Aqua recommended SHA pinning for GitHub Actions, while the GitHub advisory also included signature-verification guidance for container artifacts. The operational goal is to make tag hijacking or credential-driven release tampering less useful the next time a trusted automation path is compromised.

Sources & References

trivygithub-actionssupply-chainci-cdcontainer-images