Widely used Trivy scanner compromised in ongoing supply-chain attack
Admins: Sorry to say, but it's likely a rotate-your-secrets kind of weekend.
Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them. Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies. Assume your pipelines are compromised A forced push is a git command that overrides a default safety mechanism that protects against overwriting existing commits. Trivy is a vulnerability scanner that developers use to detect vulnerabilities and inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates. The scanner has 33,200 stars on GitHub, a high rating that indicates it’s used widely.Read full article Comments
Related tags
Entities
Related clusters
Ad slot
Article monetization slot
Reserved for contextual monetization inside article pages.
Related articles
More stories that share tags, source, or category context.
A mission NASA might kill is still returning fascinating science from Jupiter
"We can’t quite afford to support everything that we have done in the past."
Trump's MAHA pick for surgeon general flounders amid GOP doubts
She stalled over MAHA woo-woo, anti-vaccine views, and lacking medical background.
Nvidia CEO tries to explain why DLSS 5 isn’t just “AI slop”
If game makers don’t like it, “they could decide not to use it, you know?"
After hackers hit an Iowa company, cars around the country failed to start
If you don't calibrate your interlock in time, your vehicle is dead.