CVE-2026-33634 represents a severe supply chain attack targeting the aquasecurity Trivy ecosystem, specifically the Trivy binary version 0.69.4, the trivy-action GitHub Action versions 0.0.1 through 0.34.2, and the setup-trivy GitHub Action versions prior to 0.2.6. On March 19, 2026, threat actors leveraged compromised credentials to publish a malicious Trivy release and force-push malicious commits to nearly all version tags of the affected GitHub Actions repositories. This attack is a continuation of an earlier compromise starting in late February 2026, where credential rotation was performed but not atomically, allowing attackers to retain access by exfiltrating newly rotated secrets during the rotation window. The malicious commits embedded credential-stealing malware, enabling attackers to harvest secrets from CI/CD pipelines that used these components. The attack exploited the common practice of referencing mutable version tags in GitHub workflows, which allowed the attacker to replace legitimate code with malicious versions without immediate detection. The presence of a suspicious repository named 'tpcp-docs' may indicate successful exfiltration of secrets. The vulnerability is classified under CWE-506 (Embedded Malicious Code) and has a CVSS 4.0 score of 9.4, reflecting its critical severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The incident underscores the risks inherent in supply chain dependencies and the importance of secure credential management and immutable references in CI/CD pipelines.

The impact of CVE-2026-33634 is substantial for organizations worldwide that rely on Trivy and its GitHub Actions for container and infrastructure security scanning. The malicious versions distributed credential-stealing malware, potentially exposing sensitive secrets such as API keys, tokens, and credentials used in CI/CD pipelines. This exposure can lead to unauthorized access to critical infrastructure, data breaches, lateral movement within networks, and further compromise of organizational assets. The attack compromises the integrity and trustworthiness of the security tooling itself, undermining confidence in supply chain components. Organizations that pulled or executed the compromised versions risk persistent backdoors and secret leakage, which can facilitate espionage, ransomware deployment, or data exfiltration. The widespread use of Trivy in DevOps environments amplifies the scope of affected systems. Additionally, the attack demonstrates how incomplete credential rotation can prolong attacker access, increasing the window for exploitation. The potential presence of fallback exfiltration repositories indicates advanced attacker persistence and data theft capabilities.

To mitigate this threat, organizations must immediately audit their environments for usage of affected Trivy versions (v0.69.4) and GitHub Actions (trivy-action versions 0.0.1–0.34.2 and setup-trivy versions <0.2.6). Remove all compromised artifacts and replace them with known safe versions: Trivy binaries 0.69.2 or 0.69.3, trivy-action 0.35.0, and setup-trivy 0.2.6 with safe commits. Rotate all secrets accessible to affected pipelines without delay, assuming potential exposure. Review GitHub workflow run logs from March 19–20, 2026, for signs of compromise, including unexpected repository creations such as 'tpcp-docs'. Enforce the use of immutable commit SHA references in GitHub Actions workflows instead of mutable version tags to prevent silent code replacement. Implement atomic credential rotation procedures to avoid windows of vulnerability. Enhance monitoring for anomalous repository activity and secret access patterns. Consider adopting additional supply chain security measures such as signing and verifying action code, and integrating tools that detect malicious commits or unusual force-push events. Educate development and DevOps teams on the risks of mutable references and credential hygiene.