CVE-2026-33634: Critical Supply Chain Attack on Aquasecurity Trivy Demands Immediate Action

CVE-2026-33634: Critical Supply Chain Attack on Aquasecurity Trivy Demands Immediate Action

CVE-2026-33634 identifies a critical embedded malicious code vulnerability (CWE-506) in Aquasecurity Trivy, scoring a CVSS 9.4 (CRITICAL). This severe supply chain compromise requires immediate attention and remediation by April 9, 2026, to prevent widespread credential theft and CI/CD environment compromise. Organizations relying on Trivy for security scanning must prioritize the review and update of their deployments and workflows to safeguard against ongoing threats.

Vulnerability Profile

Technical Deep Dive: Understanding the Malicious Code and Supply Chain Compromise

The CVE-2026-33634 advisory highlights a profound security incident affecting Aquasecurity Trivy, a widely-used open-source security scanner. This is not merely a bug but a sophisticated supply chain compromise involving the insertion of malicious code into trusted software components. The implications are severe, reaching into the heart of an organization's CI/CD infrastructure.

CWE-506: Embedded Malicious Code

At the core of this vulnerability is CWE-506: Embedded Malicious Code. This Common Weakness Enumeration category describes a situation where an intentional piece of code designed to perform unauthorized actions is secretly included within a legitimate software product. In this specific incident, the malicious code was designed for credential theft and exfiltration. It essentially transformed a security tool meant to protect into a vector for compromise, a highly insidious form of attack that erodes trust in the software supply chain. Such code can be incredibly difficult to detect, as it often masquerades as benign functionality or is hidden within complex build processes.

The Attack Chain: From Credential Compromise to Total CI/CD Takeover

The attack chain for CVE-2026-33634 demonstrates a multi-stage, persistent effort by a threat actor. The incident began with the exploitation of compromised credentials. These credentials were used to gain unauthorized access to Aquasecurity's GitHub repositories for Trivy and its related GitHub Actions.

On March 19, 2026, the attacker leveraged this access to execute several critical actions:

1. Malicious Release Publication: A malicious Trivy v0.69.4 release was published, distributing a compromised version of the scanner itself.
2. GitHub Actions Manipulation: The attacker force-pushed 76 out of 77 version tags in the aquasecurity/trivy-action repository and replaced all 7 tags in aquasecurity/setup-trivy with malicious commits. This meant that any CI/CD pipeline referencing these popular GitHub Actions by mutable version tags (e.g., v1, main, or specific version tags like v0.34.2) would inadvertently pull and execute the attacker's credential-stealing malware.

This incident is a direct continuation of a supply chain attack that commenced in late February 2026. A crucial detail revealed in the advisory is that while credential rotation was performed after the initial disclosure on March 1, it was not atomic. This non-atomic rotation created a window of vulnerability—lasting several days—during which the attacker, potentially still holding a valid token, could exfiltrate newly rotated secrets. This lapse likely allowed the attacker to retain persistent access, enabling the more extensive March 19 attack. The malware specifically targeted sensitive CI/CD environment assets.

Attack Surface and Blast Radius

The attack surface for this vulnerability is extensive, encompassing any CI/CD pipeline or development environment that integrates Aquasecurity Trivy, especially through its GitHub Actions. Organizations using Trivy as a Go binary, container image, or via aquasecurity/trivy-action and aquasecurity/setup-trivy are at risk.

The blast radius is catastrophic, categorized with a total technical impact. The malicious code could gain access to:

• All tokens (e.g., GitHub, cloud provider API tokens)
• SSH keys
• Cloud credentials (AWS, Azure, GCP, etc.)
• Database passwords
• Any sensitive configuration data held in memory within the compromised CI/CD environment.

This level of compromise means a complete takeover of the affected pipeline and potentially interconnected systems. The advisory notes a fallback exfiltration mechanism: the creation of repositories named tpcp-docs within a victim's GitHub organization. The presence of such a repository is a strong indicator that secrets were successfully stolen.

Context: A Continued Supply Chain Threat

This event underscores the growing threat of supply chain attacks, where adversaries target the software development and distribution process rather than directly attacking end-users. The non-atomic credential rotation highlights a critical security gap—that even when a breach is detected, incomplete remediation can leave doors open for re-entry. The ability to manipulate GitHub Actions tags makes this particularly dangerous, as many organizations implicitly trust and widely adopt such components, often without pinning to immutable commit SHAs.

Who Is Affected by This Critical Trivy Vulnerability?

Organizations leveraging Aquasecurity Trivy in their software development lifecycle are potentially affected by CVE-2026-33634. Given Trivy's popularity as a security scanner for container images, file systems, and Git repositories, the impact footprint is broad across various industries and technical stacks.

Identifying Impacted Users and Organizations

Specifically, the following users and deployments are at high risk:

• Users of aquasecurity/trivy Go / Container Image: If your organization pulled or executed Trivy version 0.69.4 from any source, your environment is compromised.
• Users of aquasecurity/trivy-action GitHub Action: Workflows using versions 0.0.1 through 0.34.2 are affected. The attacker force-pushed malicious code to these tags.
• Users of aquasecurity/setup-trivy GitHub Action: Workflows using versions 0.2.0 through 0.2.6 (prior to the recreation of 0.2.6 with a safe commit) are compromised.
• Organizations utilizing mutable version tags: If your GitHub Actions workflows referenced a version tag (e.g., aquasecurity/trivy-action@v0.34.2) instead of a full, immutable commit SHA, you are particularly vulnerable because the underlying code referenced by the tag was replaced with malicious content.

It is imperative for all organizations using Trivy or its GitHub Actions to conduct an immediate audit of their deployed versions and CI/CD pipeline logs. The presence of a tpcp-docs repository in your GitHub organization should be treated as confirmation of exfiltrated secrets.

Compliance and the Remediation Deadline (CISA BOD 22-01)

With a remediation deadline of April 9, 2026, this critical vulnerability demands urgent attention. For U.S. Federal Civilian Executive Branch Agencies (FCEB), this incident directly falls under the scope of CISA Binding Operational Directive (BOD) 22-01: Mitigating the Risk from Vulnerable Systems. This directive mandates that agencies must address critical vulnerabilities within 15 calendar days of detection or public disclosure, or as per vendor instructions. Given the 'active' exploitation status and 'critical' severity, compliance requires immediate action to apply mitigations or discontinue the use of affected products.

Organizations outside the federal government should also treat this deadline with utmost seriousness, as it reflects the critical nature and active threat posed by CVE-2026-33634. Failure to remediate promptly could lead to significant data breaches, operational disruption, and severe reputational damage.

Official Remediation Steps for Aquasecurity Trivy Users

Immediate and thorough action is required to mitigate the risks associated with CVE-2026-33634. Follow these steps meticulously, referencing official vendor guidance for comprehensive details.

1. Immediately Remove Compromised Artifacts and Upgrade

• Identify and Remove Malicious Trivy v0.69.4: Check all environments (development, CI/CD, production) for any instances where Trivy v0.69.4 was pulled or executed. Remove any affected binary, container image, or artifact immediately.
• Upgrade to Known Safe Trivy Versions:

  • For the Aquasecurity Trivy binary or container image, revert to version 0.69.2 or 0.69.3. Ensure you are not using v0.69.4.
  • For aquasecurity/trivy-action GitHub Action, upgrade to version 0.35.0 or later.
  • For aquasecurity/setup-trivy GitHub Action, ensure you are using the recreated version 0.2.6 or later. Verify that the commit SHA corresponds to a known safe version.

For specific patch details and further instructions, refer to the primary vendor advisory: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23.

2. Isolate and Rotate All Exposed Secrets

• Assume Compromise: If there is any possibility that a compromised Trivy version or GitHub Action ran in your environment, immediately treat all secrets accessible to affected pipelines as exposed. This includes, but is not limited to, GitHub tokens, cloud credentials (AWS, Azure, GCP), SSH keys, API keys, database passwords, and any sensitive environment variables.
• Rotate Secrets: Initiate an immediate and comprehensive rotation of all potentially exposed secrets. Ensure this rotation is performed atomically, where new credentials are put in place only after old ones are fully revoked, minimizing any window for continued attacker access.
• Review for Exfiltration Indicators: Scrutinize your GitHub organization for the presence of repositories named tpcp-docs. The creation of such a repository indicates that the attacker's fallback exfiltration mechanism was triggered, and secrets were likely stolen.

3. Fortify GitHub Actions Workflows

• Audit Workflows: Review all GitHub Actions workflows that use aquasecurity/trivy-action or aquasecurity/setup-trivy. Specifically, look at workflow run logs from March 19–20, 2026, for any anomalies or signs of compromise, especially if you were referencing version tags.
• Pin to Immutable Commit SHAs: As a critical security best practice, update all GitHub Actions references in your workflows to use full, immutable commit SHA hashes instead of mutable version tags (e.g., aquasecurity/trivy-action@<full_commit_SHA>). This prevents attackers from force-pushing malicious code to a tag and silently compromising your pipelines.

Further information and context on the incident can also be found at: https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html.

Robust Security Best Practices to Prevent Future Supply Chain Attacks

The CVE-2026-33634 incident serves as a stark reminder of the evolving threat landscape in software supply chain security. Beyond immediate remediation, organizations must adopt a proactive and multi-layered approach to secure their development and deployment pipelines.

1. Adopt Immutable Pinning for All Dependencies

Always pin your dependencies, especially third-party components like GitHub Actions, to their full, immutable commit SHA hashes. Avoid using mutable tags (e.g., v1, main, or even specific version numbers like v0.34.2 if the underlying repository allows force-pushes to tags). This ensures that your builds use an exact, verified version of the code, preventing malicious updates to tags from impacting your pipelines without your explicit review.

2. Implement Strict Access Controls and Least Privilege

Apply the principle of least privilege rigorously across all CI/CD systems and related accounts. Ensure that only necessary permissions are granted to users, service accounts, and automated processes. Regularly review and revoke any excessive or stale permissions. This limits the potential damage an attacker can inflict if credentials are compromised.

3. Prioritize Secret Management and Rotation

Centralize and secure your secrets using dedicated secret management solutions. Implement automated secret rotation policies, especially for high-value credentials like API keys, cloud access keys, and database passwords. Ensure that secret rotation processes are atomic and robust, preventing any window of exposure during the transition.

4. Continuous Monitoring and Integrity Checks

Implement continuous monitoring of your CI/CD pipelines, build artifacts, and deployed environments. Use tools that can detect unauthorized changes to repositories, unusual activity in build logs, or unexpected network connections from build agents. Consider using Software Bill of Materials (SBOM) generation and integrity checking to verify the provenance and integrity of all components in your software.

5. Enforce Multi-Factor Authentication (MFA) Everywhere

MFA should be mandatory for all accounts, particularly those with administrative privileges or access to critical development infrastructure, source code repositories, and CI/CD systems. Even if an attacker gains a password through other means, MFA acts as a crucial barrier.

6. Diversify Supply Chain Security Tools

Don't rely on a single tool or vendor for all your supply chain security needs. Incorporate a variety of security scanners (static analysis, dynamic analysis, dependency scanning), integrity verification tools, and supply chain security platforms. This provides defense in depth and helps catch issues that might be missed by a single solution.