## What happened

BleepingComputer reports that the popular vulnerability scanner **Trivy** was hit by a supply-chain compromise. Researchers say the attackers tampered with GitHub Actions used by Trivy (including action tags) and also published a trojanized Trivy release (reported as v0.69.4).

The malicious code behaved like an **infostealer**, looking for secrets across CI environments and developer machines, and attempting to exfiltrate the collected data.

## Why it matters

Tools like Trivy sit inside CI/CD with broad access to repositories, build artifacts, and environment variables. A compromise can quickly become a compromise of:

- cloud credentials

- SSH keys

- CI secrets

- package registry tokens

- production access paths

## Notable technical details

According to the report and referenced analyses:

- Many GitHub Actions tags were force-pushed to malicious commits, meaning workflows pinning *tags* could run attacker code.

- The infostealer searched common locations for secrets (".env", cloud config files, SSH keys, etc.).

- Exfiltration reportedly used a typosquatted domain and included fallback behaviors if network exfiltration failed.

## What teams should do now

If you used affected Trivy releases or GitHub Actions during the incident window:

1. Treat the environment as potentially compromised.

2. Rotate secrets (cloud keys, DB passwords, CI tokens, SSH keys).

3. Audit GitHub Actions usage: prefer pinning to **commit SHAs** rather than tags.

4. Review CI logs and runner hosts for unexpected artifacts/services.

## Source

BleepingComputer coverage includes timelines and the researchers' findings.