75 Trivy-Action GitHub Tags Hijacked in Supply Chain Attack

For the second time in a single month, the widely adopted Trivy security ecosystem has been targeted in a sophisticated Supply Chain Attack. According to The Hacker News, attackers successfully hijacked 75 distinct version tags associated with the official Aqua Security GitHub Actions repositories. The breach specifically impacts aquasecurity/trivy-action and aquasecurity/setup-trivy, which are essential components used by developers to scan container images and configure vulnerability scanning within automated workflows.

aquasecurity/trivy-action supply chain compromise: Technical Analysis

The compromise involved the modification of existing version tags to point to malicious code rather than the verified Aqua Security source. By altering these tags, the threat actors ensured that any CI/CD pipeline configured to pull the latest version or a specific semantic version (e.g., @v1 or @v2.1) would execute a malicious payload. This TTP exploits the inherent trust developers place in version tags, which, unlike commit hashes, are mutable and can be reassigned by anyone with write access to the repository.

The primary objective of the attackers was the theft of sensitive environment variables and secrets. In modern cloud-native environments, GitHub Actions secrets often include AWS access keys, Docker Hub credentials, and internal API tokens. Once the malicious action was triggered during a workflow run, it would scrape these secrets from the runtime environment and exfiltrate them to an external C2 server controlled by the adversaries. This allows for subsequent Lateral Movement within the victim’s cloud infrastructure or software distribution platforms.

how to detect hijacked GitHub Actions in CI/CD pipelines

Identifying a hijacked action requires a departure from standard log monitoring. Because the malicious code runs within the context of a legitimate workflow, traditional EDR solutions on developer workstations may not flag the activity. Instead, the SOC must analyze GitHub Actions runner logs for unusual outbound network connections to unknown IP addresses or domains.

A key IoC in this campaign is the sudden modification of historical tags. Security teams should audit their workflow.yml files and compare the current behavior of their scanners against known baselines. If a workflow that typically takes 30 seconds to run suddenly exhibits longer execution times or initiates external curl or wget commands that are not part of the standard Trivy binary setup, it should be treated as a potential compromise. Furthermore, trivy-action secret exfiltration remediation involves not only updating the action but also assuming all secrets handled by that runner have been compromised.

Remediation and Long-term Defense

The recurrence of this incident highlights the fragility of tag-based dependency management in CI/CD. To mitigate the risk of future hijackings, organizations must adopt a Zero Trust approach to third-party actions.

• Pin Actions to Commit SHAs: The most effective defense is to reference actions by their full SHA-256 commit hash rather than a tag. Unlike tags, a commit hash is immutable, ensuring that the code executed is exactly what was audited by the security team.
• Secret Rotation: Organizations that used the affected aquasecurity/trivy-action tags during the window of compromise must immediately rotate all secrets exposed to those workflows.
• Restrict Permissions: Utilize the permissions key in GitHub Actions to limit the GITHUB_TOKEN to read-only access where possible, reducing the impact if an action is compromised.
• Private Action Mirrors: High-security environments should consider mirroring essential actions into internal, vetted repositories to prevent external upstream changes from automatically propagating into the build pipeline.