Critical

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

The Hacker News
Actively Exploited

Overview

Trivy, an open-source vulnerability scanner developed by Aqua Security, has been compromised for the second time in a month. This breach specifically targeted the GitHub Actions workflows 'aquasecurity/trivy-action' and 'aquasecurity/setup-trivy', which are commonly used for scanning Docker container images for vulnerabilities. Attackers hijacked 75 tags to deliver malware that aims to steal sensitive continuous integration and continuous delivery (CI/CD) secrets. This incident is particularly concerning as it exposes users relying on these tools to potential data breaches and security risks. Organizations using these GitHub Actions should take immediate action to secure their environments and monitor for any unauthorized access or data leaks.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: aquasecurity/trivy-action, aquasecurity/setup-trivy
  • Action Required: Users should audit their GitHub Actions workflows, revoke any compromised secrets, and update to the latest versions of the affected actions as soon as possible.
  • Timeline: Ongoing since October 2023

Original Article Summary

Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow

Impact

aquasecurity/trivy-action, aquasecurity/setup-trivy

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since October 2023

Remediation

Users should audit their GitHub Actions workflows, revoke any compromised secrets, and update to the latest versions of the affected actions as soon as possible.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Vulnerability, Malware.

Related Coverage

Leading members of Scattered Spider sentenced in UK to 66 months in jail

CyberScoop

Thalha Jubair and Owen Flowers, key members of the hacker group known as Scattered Spider, have been sentenced to 66 months in prison in the UK. U.S. authorities previously accused Jubair of being involved in at least 120 cyberattacks, demonstrating a significant level of criminal activity. These attacks are part of a broader trend of cybercrime that affects individuals and organizations alike, raising concerns about online security. The sentencing underscores the legal consequences faced by cybercriminals and serves as a warning to others in the hacking community. As law enforcement continues to crack down on such groups, it highlights the ongoing battle against cyber threats in today's digital landscape.

Jul 17, 2026

Industry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday

SecurityWeek

The Pentagon has temporarily suspended Phase 2 of the Cybersecurity Maturity Model Certification (CMMC), which means that third-party audits required for defense contractors will not take place for now. This suspension does not eliminate the legal requirement for companies to protect Controlled Unclassified Information (CUI). Industry experts have expressed their concern that while the audits are paused, the obligation to secure sensitive information remains critical. This situation affects defense contractors and their ability to demonstrate compliance with cybersecurity standards, potentially impacting their contracts and operations. With the growing emphasis on cybersecurity in defense, the continued protection of CUI is essential for national security.

Jul 17, 2026

Hacking US Elections: The First Tranche of Declassified Election Integrity Documents

Cyber Defense Magazine

The article discusses the release of declassified documents related to the integrity of U.S. elections, which cybersecurity professionals are encouraged to review. These documents shed light on various aspects of election security, particularly in the context of hacking concerns that have been prevalent over the last decade. Researchers at DEF CON have been instrumental in examining vulnerabilities in voting systems, and the declassified records provide crucial insights into how past elections could have been compromised. Understanding these details is vital for improving future election security and ensuring public confidence in the electoral process. The implications of these findings extend beyond cybersecurity professionals, as they affect the integrity of democratic processes in the U.S.

Jul 17, 2026

Scammers weaponize FaceTime to drain bank accounts

Help Net Security

Apple has issued a warning to iPhone and iPad users about a new scam that utilizes FaceTime calls to deceive people into giving away their financial information. Scammers impersonate trusted organizations, such as banks or Apple itself, using a technique called caller ID spoofing, which makes the call appear to come from a legitimate source. This manipulation aims to extract sensitive details like account credentials and security codes. Users need to be vigilant and verify any unexpected calls requesting personal information, as this scam can lead to significant financial loss. This situation is particularly concerning as it exploits a widely used communication tool, making it crucial for users to remain cautious and informed.

Jul 17, 2026

New Russian Campaign Uses Fake Webex and Zoom Installers to Deploy Starland RAT

Security Affairs

Researchers at Cisco Talos have identified a new campaign by a Russian-speaking group known as UAT-11795, which is distributing fake installers for popular applications like Zoom, Webex, and MobaXterm. These malicious installers are designed to deliver the Starland Remote Access Trojan (RAT) and a memory-only implant called WLDR. The campaign has been targeting users primarily in the United States and Europe. This is concerning as it highlights the ongoing threat posed by financially motivated cybercriminals who exploit trusted software to gain access to sensitive systems. Users should be wary of downloading software from unofficial sources and ensure they are using legitimate installation files to protect against such attacks.

Jul 17, 2026

Cyberattack Disrupts Operations of Japanese Frozen Food Giant Nichirei

SecurityWeek

Nichirei, a major Japanese frozen food company, faced a cyberattack on July 13, which forced the company to disconnect its systems. As a result, operations were significantly disrupted, impacting their ability to process and distribute their products. The company is now in the process of gradually restoring its systems, but the incident raises concerns about the security of supply chains in the food industry. Cyberattacks on food companies can disrupt not only business operations but also affect food availability and consumer trust. Nichirei's experience serves as a reminder for companies in all sectors to prioritize cybersecurity to protect against similar threats.

Jul 17, 2026