Trivy under attack again: Widespread GitHub Actions tag compromise secrets

"GitHub's own security guidance recommends pinning actions to full commit SHAs as the only truly immutable way to consume an action"

Why doesn't GitHub just enforce immutable versioning for actions? If you don't want immutable releases, you don't get to publish an Action. They could decide to enforce this and mitigate this class of issue.

My initial thought is that if this isn't a new compromise, Trivy must not have rotated the old credentials. They claim, however,

> We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens

… does anyone know what exactly they're talking about, here? To my knowledge, GH does not divulge new tokens after they're issued, but it depends on the exact auth type we're talking about, and GH has an absurd number of different types of tokens/keys one can use.

You're supposed to scan for vulnerabilities, not become one!

People have been warning about giant security holes in GitHub Actions dependency but MS did nothing.

Well, not my best 2 weeks at work, now I have to fill out a dozen forms and sit trough a shitload of meeting, just because they got pwned (twice, or once, but really badly :D )

> On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images. (https://github.com/aquasecurity/trivy/security/advisories/GH...)

So the first incident was on March 19th and the second incident is March 22nd —- evidently the attackers maintained persistence through maybe two separate credential rotation efforts.

Recent and related:

Trivy ecosystem supply chain temporarily compromised - https://news.ycombinator.com/item?id=47450142 - March 2026 (35 comments)

Friendly reminder that just because someone is building security software it doesn't mean they are competent and won't cause more harm than good.

Every month the security team wants me to give full code or cloud access to some new scanner they want to trial. They love the fancy dashboards and lengthy reports but if I allowed just 10% of what they wanted we would be pwned on the regular...

second breach in a month from the same initial credential compromise. the first rotation didn't fully revoke access. the attacker walked right back in. no persistence needed.

Wasn't this discovered already last week, on Friday, that the threat actor had replaced the legit images with malware images? And republished 75 out of 76 tags?

How the heck are credential compromises still a thing with 2FA and refresh tokens???

/s But I thought npm was the issue, and all of this couldn't happen anywhere else?!

I always run such tools inside sandboxes to limit the blast radius.

[dead]

[flagged]

fatiguing

GG