Trivy Compromised a Second Time - Malicious v0.69.4 Release

This is an active investigation. We are continuing to monitor the situation and will update this post as new information becomes available.

On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed.

Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.

In addition, we found evidence that the aquasecurity/setup-trivy GitHub Action was also compromised. A commit (8afa9b9) — listed as an IOC in the deleted discussion — contains a comprehensive credential stealer injected into action.yaml. All version tags on setup-trivy have been deleted except v0.2.6, which points to a clean commit.

What Happened

Background: The Original Compromise (February 28, 2026)

On February 28, an autonomous bot called hackerbot-claw exploited a pull_request_target workflow in aquasecurity/trivy to steal a Personal Access Token (PAT). The stolen credential was used to take over the repository — privatizing it, deleting all GitHub Releases between v0.27.0 and v0.69.1, and pushing a suspicious artifact to the Trivy VSCode extension on the Open VSX marketplace. Aqua Security disclosed the incident in discussion #10265 and remediated the immediate damage.

StepSecurity documented the full campaign in our hackerbot-claw blog post.

The Second Compromise (March 19, 2026)

Three weeks later, the attacker struck again. Based on the GitHub Events API, repository activity, and IOCs shared before the incident discussion was deleted, here is what we have confirmed:

1. Malicious trivy v0.69.4 Published

The trivy release automation (aqua-bot) published v0.69.4 and a v0.70.0 tag was also briefly created. The v0.69.4 binaries contained malicious code that phones home to a typosquat C2 domain. The release triggered normal downstream automation — Homebrew picked it up, a helm chart bump PR was opened, and documentation was deployed.

2. Original Incident Discussion Deleted

Discussion #10265 — Aqua Security's original incident disclosure from the February compromise — was deleted. This discussion contained active conversation about the new v0.69.4 compromise. As user bored-engineer noted:

"To be explicit, it wasn't just discussion on the previous well reported compromise, there was active discussion on the new (as of today) compromise of v0.69.4 trivy binaries. Judging by the subsequent spam comments on this issue, it's likely the threat actor deleted the discussion to slow down the response by impacted users/orgs."

3. Spam Bot Flood

Within minutes of discussion #10420 being opened (asking why the incident discussion was deleted), a wave of spam bot accounts flooded the thread:

• Two accounts posted "sugma and ligma, teampcp owns you" at 00:01 UTC
• At least 17 bot accounts posted generic praise comments ("this solved my issue", "worked perfectly for me") within a single second at 00:08 UTC — a clear coordinated bot attack to bury the real discussion

4. setup-trivy GitHub Action Compromised

The aquasecurity/setup-trivy GitHub Action — used in CI pipelines to install trivy — was also compromised. All version tags have been removed except v0.2.6, and the IOC aquasecurity/setup-trivy@8afa9b9 (shared by bored-engineer from the deleted discussion) points to a commit containing a comprehensive credential stealer injected into action.yaml.

The Compromised Commit

GitHub displays a warning on commit 8afa9b9: "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository." The commit is built on top of the legitimate 3fb12ec (current main HEAD) and uses the same commit message — "Pin Trivy install script checkout to a specific commit (#28)" — as a disguise. The legitimate commit has 4 additions; the malicious one has 117 additions and 12 deletions.

The injected code in the "Setup environment" step:

• Harvests Runner process environment variables — scans /proc/*/environ for SSH and environment-related secrets
• Reads GitHub Actions Runner worker memory (on Linux) — decodes a base64 Python script that locates the Runner.Worker process and reads its memory via /proc/<pid>/mem to extract secrets marked isSecret: true
• Runs a comprehensive credential stealer (on other platforms) targeting SSH keys, Git credentials, AWS/GCP/Azure credentials, Kubernetes secrets, Docker configs, database credentials, Terraform state, crypto wallets (Solana, Bitcoin, Ethereum, Cardano), SSL private keys, shell histories, and more
• Encrypts all collected data with a hardcoded RSA-4096 public key using hybrid encryption (AES-256-CBC + RSA-OAEP)
• Exfiltrates to scan.aquasecurtiy.org — the same typosquat C2 domain listed as an IOC for the trivy compromise
• Fallback exfiltration — if the C2 is unreachable and a GitHub PAT is available, creates a public repository called tpcp-docs on the victim's GitHub account and uploads the stolen data as a release asset. The name "tpcp" matches the "teampcp owns you" message posted by spam bots in discussion #10420.

Tag Deletions and Incident Response

The setup-trivy events API shows the following incident response activity:

• 21:07 UTC — nikpivkin (trivy maintainer) deletes v0.2.5 tag
• 21:34 UTC — itaysk adds simar7 as a collaborator
• 21:43 UTC — simar7 publishes clean v0.2.6 release pointing to 3fb12ec

The deletion of the other tags (v0.2.0–v0.2.4) is not visible in the events API. The compromised commit likely originated from a fork — as GitHub's warning suggests — and the version tags were then moved to reference it. This is a known attack technique with GitHub Actions: tags can reference any commit in the repository's object store, including commits pushed via forks, so moving a tag to a fork commit is sufficient to serve malicious code to all users of that tag. The fact that all version tags were deleted during incident response confirms the tags were pointed to the compromised commit.

Any CI pipeline pinned to a deleted tag is now broken. Users have reported this in issue #31, with a commenter noting: "Looks like all tags/releases other than 0.2.6 are gone."

‍

5. Homebrew Emergency Downgrade

Homebrew maintainer woodruffw filed PR #273304 to emergency downgrade trivy back to v0.69.3, using special labels (CI-version-downgrade, CI-no-bottles) to bypass the normal version audit. The PR was merged, reverting to the existing v0.69.3 bottles.

‍

Harden-Runner Analysis of the Compromised setup-trivy Commit

We ran the compromised setup-trivy@8afa9b9 commit in a controlled workflow with Harden-Runner in audit mode to observe its runtime behavior. Harden-Runner flagged two detections:

• Summary: app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/23326425755
• Network Events: app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/23326425755?tab=network-events
• Process Events: app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/23326425755?tab=process-events

• Imposter Commit — the action was detected as referencing a commit that does not belong to any branch on the repository
• Runner Worker Memory Read — python3 (PID 2538) was observed reading /proc/2167/mem, the memory of the Runner.Worker process, to extract GitHub Actions secrets

‍

The network events tab confirmed the outbound connections made by the credential stealer:

• scan.aquasecurity.org:443 — the typosquat C2 domain receiving the encrypted stolen data
• github.com:443 — API calls (likely the fallback exfil attempting to create the tpcp-docs repo)
• get.trivy.dev:443 — the trivy install script (legitimate action behavior)
• release-assets.githubusercontent.com:443 — downloading trivy binary (legitimate)

Suspicious process detail: python3 reading the Runner.Worker process memory at /proc/2167/mem to extract GitHub Actions secrets.

‍

Evidence from the GitHub Events API

The trivy events API and setup-trivy events API provide a clear record of the incident. Key events from the trivy repo:

• DeleteEvent — aqua-bot deletes v0.70.0 tag at 17:51 UTC
• CreateEvent — github-actions[bot] creates branch ci/helm-chart/bump-trivy-to-0.69.4 at 18:30 UTC
• PullRequestEvent — aqua-bot opens helm chart bump PR at 18:30 UTC
• DiscussionEvent — devinbfergy opens discussion #10420 at 22:13 UTC
• DeleteEvent — knqyf263 deletes v0.69.4 tag at 23:13 UTC

Timeline

March 19, 2026 — ~17:43 UTC

aqua-bot pushes to branch v0.69.4, triggering documentation deployment

March 19, 2026 — 17:51 UTC

aqua-bot deletes v0.70.0 tag

March 19, 2026 — 18:30 UTC

aqua-bot opens PR #10416: "ci(helm): bump Trivy version to 0.69.4 for Trivy Helm Chart 0.21.4"

‍

March 19, 2026 — 21:07 UTC

nikpivkin deletes v0.2.5 tag on aquasecurity/setup-trivy (compromised tag removed)

March 19, 2026 — 21:34 UTC

itaysk adds simar7 as collaborator on setup-trivy (incident response)

March 19, 2026 — 21:43 UTC

simar7 publishes clean setup-trivy@v0.2.6

March 19, 2026 — 21:50 UTC

Helm chart bump PR #10416 closed (not merged)

March 19, 2026 — 22:13 UTC

devinbfergy opens discussion #10420 asking why the incident discussion was deleted

March 19, 2026 — 23:05 UTC

Homebrew maintainer files emergency downgrade PR to revert trivy to v0.69.3

March 19, 2026 — 23:13 UTC

Trivy maintainer knqyf263 deletes v0.69.4 tag

March 19, 2026 — 23:56 UTC

bored-engineer confirms v0.69.4 binaries were compromised and shares IOCs from deleted discussion

March 20, 2026 — 00:01 UTC

Spam bots flood discussion #10420

Indicators of Compromise

The following IOCs were shared by bored-engineer in discussion #10420, copied from the now-deleted discussion #10265 before it was removed:

• C2 domain: scan[.]aquasecurtiy[.]org — note the typo (securtiy vs security), a typosquat of Aqua Security's domain. Resolves to 45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam, NL)
• Referenced GitHub Action: aquasecurity/setup-trivy@8afa9b9 — this is a legitimate commit; workflows using it would have installed the compromised v0.69.4 binary
• Referenced checkout ref: actions/checkout@70379aa — a legitimate actions/checkout commit
• Compromised trivy version: v0.69.4 (tag deleted by maintainer)
• Deleted setup-trivy tags: all tags except v0.2.6 have been removed; it is unclear whether this was done by the attacker or as part of incident response

References

• Discussion #10420: Why did this discussion about the Trivy incident get removed/closed
• Homebrew PR #273304: trivy: downgrade to 0.69.3
• setup-trivy Issue #31: Unable to resolve action aquasecurity/setup-trivy@v0.2.0
• StepSecurity Blog: hackerbot-claw — AI-Powered GitHub Actions Attack Campaign (original incident)

‍