Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Yikes — the Trivy security scanner just got hit with a massive supply chain attack. Hackers compromised GitHub Actions, force-pushed 75 tags, and are now siphoning CI/CD secrets from dev pipelines. This isn't just a breach — it's a full-blown infiltration of your build system.

Here's the breakdown: attackers hijacked the Trivy GitHub Actions workflow, pushing malicious tags that execute during CI/CD runs. Once triggered, these tags exfiltrate sensitive data — think API keys, tokens, and credentials — straight to attacker-controlled servers. This isn't just data theft; it's persistence across developer environments.

The attack vector? Classic supply chain manipulation. By compromising the GitHub Actions that manage Trivy's tags, attackers injected malicious code into the CI/CD pipeline. Every time a developer runs a scan, the malicious tag executes — silently stealing secrets and potentially deploying backdoors.

This is a wake-up call for the DevSecOps community. Trivy is widely used for vulnerability scanning in containers and cloud environments. A breach here doesn't just leak data — it compromises the entire security posture of organizations relying on it. Think about it: your security tool is now the attack vector.

Key takeaway: monitor your CI/CD workflows like a hawk. Verify tag integrity, audit GitHub Actions permissions, and assume your secrets are always at risk. This attack shows that even security tools aren't immune — they're just another target in the supply chain.