CVE-2026-33634: CWE-506: Embedded Malicious Code in aquasecurity setup-trivy
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
AI Analysis
Technical Summary
CVE-2026-33634 describes a critical supply chain vulnerability in the aquasecurity Trivy project, specifically affecting the setup-trivy GitHub Action and related components. Attackers leveraged compromised credentials to publish a malicious Trivy v0.69.4 release and force-push malicious commits to nearly all version tags of aquasecurity/trivy-action and setup-trivy repositories. The incident is a continuation of an earlier credential compromise where incomplete rotation allowed attackers to maintain access and execute the March 19 attack. Affected versions include setup-trivy versions prior to 0.2.6, trivy-action versions 0.0.1 through 0.34.2, and Trivy binary v0.69.4. Known safe versions are Trivy v0.69.2 and v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6 with a safe commit. The attack potentially exposed secrets accessible to affected CI/CD pipelines. The vulnerability is scored 9.4 CVSS 4.0 (critical) with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, availability, and security controls.
Potential Impact
The attack allowed malicious code insertion into widely used security scanning tools and GitHub Actions, potentially enabling credential theft and unauthorized access to secrets in CI/CD pipelines. The compromise of version tags and releases means users who pulled affected versions risked executing malicious code. Secrets accessible to affected workflows must be considered exposed. The incident undermines trust in the affected components and may lead to further downstream compromise if secrets are reused or not rotated. The CVSS 4.0 score of 9.4 reflects critical impact across confidentiality, integrity, availability, and security controls.
Mitigation Recommendations
No official patch links are provided, but known safe versions are identified: Trivy v0.69.2 and v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6 with a safe commit. Users must immediately remove any affected artifacts and check if Trivy v0.69.4 or affected trivy-action/setup-trivy versions were used. All secrets accessible to affected pipelines should be treated as compromised and rotated immediately. Review workflow run logs from March 19–20, 2026 for signs of compromise, especially if version tags rather than immutable commit SHAs were used. Look for suspicious repositories named 'tpcp-docs' as indicators of exfiltration. To prevent similar attacks, pin GitHub Actions to full immutable commit SHA hashes instead of mutable version tags. Patch status is not explicitly confirmed; users should consult vendor advisories for updates.
CVE-2026-33634: CWE-506: Embedded Malicious Code in aquasecurity setup-trivy
Description
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33634 describes a critical supply chain vulnerability in the aquasecurity Trivy project, specifically affecting the setup-trivy GitHub Action and related components. Attackers leveraged compromised credentials to publish a malicious Trivy v0.69.4 release and force-push malicious commits to nearly all version tags of aquasecurity/trivy-action and setup-trivy repositories. The incident is a continuation of an earlier credential compromise where incomplete rotation allowed attackers to maintain access and execute the March 19 attack. Affected versions include setup-trivy versions prior to 0.2.6, trivy-action versions 0.0.1 through 0.34.2, and Trivy binary v0.69.4. Known safe versions are Trivy v0.69.2 and v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6 with a safe commit. The attack potentially exposed secrets accessible to affected CI/CD pipelines. The vulnerability is scored 9.4 CVSS 4.0 (critical) with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, availability, and security controls.
Potential Impact
The attack allowed malicious code insertion into widely used security scanning tools and GitHub Actions, potentially enabling credential theft and unauthorized access to secrets in CI/CD pipelines. The compromise of version tags and releases means users who pulled affected versions risked executing malicious code. Secrets accessible to affected workflows must be considered exposed. The incident undermines trust in the affected components and may lead to further downstream compromise if secrets are reused or not rotated. The CVSS 4.0 score of 9.4 reflects critical impact across confidentiality, integrity, availability, and security controls.
Mitigation Recommendations
No official patch links are provided, but known safe versions are identified: Trivy v0.69.2 and v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6 with a safe commit. Users must immediately remove any affected artifacts and check if Trivy v0.69.4 or affected trivy-action/setup-trivy versions were used. All secrets accessible to affected pipelines should be treated as compromised and rotated immediately. Review workflow run logs from March 19–20, 2026 for signs of compromise, especially if version tags rather than immutable commit SHAs were used. Look for suspicious repositories named 'tpcp-docs' as indicators of exfiltration. To prevent similar attacks, pin GitHub Actions to full immutable commit SHA hashes instead of mutable version tags. Patch status is not explicitly confirmed; users should consult vendor advisories for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.619Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c1b815f4197a8e3b932274
Added to database: 3/23/2026, 10:00:53 PM
Last enriched: 4/3/2026, 1:08:33 PM
Last updated: 5/8/2026, 8:06:12 PM
Views: 384
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.