Critical Supply Chain Exploit in Aquasecurity Trivy (CVE-2026-33634) Threatens Container Security
What It Is — A high‑severity (CVSS 9.3) vulnerability in Aquasecurity’s open‑source container image scanner Trivy (CVE‑2026‑33634) was added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog. Attackers compromised developer credentials, published a malicious Trivy binary (v0.69.4) and tampered with associated GitHub Actions to harvest secrets and exfiltrate data.
Exploitability — Active exploitation confirmed in the wild; a malicious release was observed on 19 Mar 2026. Public PoC exists via the compromised GitHub Action workflow.
Affected Products — Aquasecurity Trivy (all versions prior to the safe release after v0.69.4), Trivy container‑image scanning binaries, and any CI/CD pipelines that pull Trivy from public registries or use the compromised GitHub Actions.
TPRM Impact — The flaw represents a supply‑chain attack on a widely‑used third‑party security tool. Organizations that integrate Trivy into their DevSecOps pipelines may have unintentionally executed malicious code, risking credential theft, data leakage, and downstream compromise of container workloads.
Recommended Actions
- Immediately remove all Trivy v0.69.4 artifacts and any later versions that were built from the compromised source.
- Rotate all secrets, API keys, and credentials that may have been accessed between 19‑20 Mar 2026.
- Pin GitHub Actions to immutable commit hashes; avoid mutable version tags.
- Review audit logs for unexpected Trivy executions or secret accesses.
- Upgrade to the latest verified Trivy release and validate its provenance (e.g., via SBOM or signed images).
- For federal agencies, comply with CISA’s directive to remediate by 9 Apr 2026; private firms should follow the same timeline.
Source: SecurityAffairs