Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them.
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies.
Assume your pipelines are compromised
A forced push is a git command that overrides a default safety mechanism that protects against overwriting existing commits. Trivy is a vulnerability scanner that developers use to detect vulnerabilities and inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates. The scanner has 33,200 stars on GitHub, a high rating that indicates it’s used widely.
This post highlights a critical issue in the cybersecurity landscape. It’s concerning to see such a widely used tool being compromised. Awareness of these vulnerabilities is essential for all users in the industry.
compromise affect a widely used tool. It’s a reminder of the importance of regularly updating and auditing our security tools. Additionally, this incident underscores the need for enhanced transparency and security measures in the software supply chain.