Common Weakness Enumeration

CWE-506

Allowed-with-Review

Embedded Malicious Code

Abstraction: Class · Status: Incomplete

The product contains code that appears to be malicious in nature.

525 vulnerabilities reference this CWE, most recent first.

GHSA-657V-JJF8-83GH

Vulnerability from github – Published: 2020-09-03 23:14 – Updated: 2021-10-01 14:37
VLAI
Summary
Malicious Package in jsmsha3
Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsmsha3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:54:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-657v-jjf8-83gh",
  "modified": "2021-10-01T14:37:41Z",
  "published": "2020-09-03T23:14:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in jsmsha3"
}

GHSA-6584-GFWM-3VC3

Vulnerability from github – Published: 2020-09-03 21:43 – Updated: 2021-09-29 20:54
VLAI
Summary
Malicious Package in budfer-xor
Details

Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "budfer-xor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:51:43Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-6584-gfwm-3vc3",
  "modified": "2021-09-29T20:54:03Z",
  "published": "2020-09-03T21:43:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1233"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in budfer-xor"
}

GHSA-658G-P7JG-WX5G

Vulnerability from github – Published: 2026-04-02 18:34 – Updated: 2026-04-06 23:41
VLAI
Summary
Axios npm Supply Chain Incident Impacting @usebruno/cli
Details

Impact

This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).

Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.

Potential impact includes:

  • Execution of a malicious postinstall script
  • Remote Access Trojan (RAT) installation
  • Exfiltration of credentials and sensitive data

Not impacted:

  • Bruno desktop app users
  • Users who installed outside the attack window

Patches

The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.

Additionally, Bruno has taken further hardening steps:

Recommendation

If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:

For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@usebruno/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-494",
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T18:34:04Z",
    "nvd_published_at": "2026-04-06T17:17:10Z",
    "severity": "CRITICAL"
  },
  "details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
  "id": "GHSA-658g-p7jg-wx5g",
  "modified": "2026-04-06T23:41:01Z",
  "published": "2026-04-02T18:34:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34841"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/issues/10604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/pull/7632"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usebruno/bruno"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli"
}

GHSA-65J7-66P7-9XGF

Vulnerability from github – Published: 2020-09-02 21:51 – Updated: 2021-09-30 21:59
VLAI
Summary
Malicious Package in font-scrubber
Details

Version 1.2.2 of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "font-scrubber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:40:34Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 1.2.2 of `font-scrubber` contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-65j7-66p7-9xgf",
  "modified": "2021-09-30T21:59:50Z",
  "published": "2020-09-02T21:51:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/919"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in font-scrubber"
}

GHSA-674R-XX4C-GJ7X

Vulnerability from github – Published: 2020-09-03 17:04 – Updated: 2021-10-04 14:28
VLAI
Summary
Malicious Package in sb58
Details

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sb58"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:58:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-674r-xx4c-gj7x",
  "modified": "2021-10-04T14:28:19Z",
  "published": "2020-09-03T17:04:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1406"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in sb58"
}

GHSA-67MP-PCV9-VVQ6

Vulnerability from github – Published: 2020-09-03 22:57 – Updated: 2021-09-30 16:35
VLAI
Summary
Malicious Package in jr-sha3
Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jr-sha3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:53:33Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-67mp-pcv9-vvq6",
  "modified": "2021-09-30T16:35:36Z",
  "published": "2020-09-03T22:57:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in jr-sha3"
}

GHSA-6879-XR95-5GF4

Vulnerability from github – Published: 2020-09-03 17:20 – Updated: 2021-09-30 17:16
VLAI
Summary
Malicious Package in malicious-do-not-install
Details

All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder.

Recommendation

Remove the package from your environment and rotate affected credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "malicious-do-not-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:45:05Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of `malicious-do-not-install` contain malicious code. The package copies the contents of `/etc/passwd` and `/etc/shadow` to files in the local `/tmp/` folder.\n\n\n## Recommendation\n\nRemove the package from your environment and rotate affected credentials.",
  "id": "GHSA-6879-xr95-5gf4",
  "modified": "2021-09-30T17:16:35Z",
  "published": "2020-09-03T17:20:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in malicious-do-not-install"
}

GHSA-692H-G37C-QV44

Vulnerability from github – Published: 2020-09-03 23:25 – Updated: 2021-10-01 16:15
VLAI
Summary
Malicious Package in sj-tw-sec
Details

All versions of sj-tw-sec contain malicious code. The package downloads and runs a script that opens a reverse shell in the system.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sj-tw-sec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:54:37Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of `sj-tw-sec` contain malicious code. The package downloads and runs a script that opens a reverse shell in the system.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-692h-g37c-qv44",
  "modified": "2021-10-01T16:15:23Z",
  "published": "2020-09-03T23:25:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1309"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in sj-tw-sec"
}

GHSA-69FQ-XP46-6X23

Vulnerability from github – Published: 2026-03-24 17:53 – Updated: 2026-03-30 20:51
VLAI
Summary
Trivy ecosystem supply chain was briefly compromised
Details

Summary

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.

Exposure Window

Component Start (UTC) End (UTC) Duration
trivy v0.69.4 2026-03-19 18:22 [^1] 2026-03-19 ~21:42 ~3 hours
trivy-action 2026-03-19 ~17:43 [^2] 2026-03-20 ~05:40 ~12 hours
setup-trivy 2026-03-19 ~17:43 [^2] 2026-03-19 ~21:44 ~4 hours
dockerhub trivy images v0.69.5 and v0.69.6 2026-03-22 15:43 2026-03-23 ~01:40 ~10 hours

[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline. [^2]: Earliest suspicious activity observed in our audit log.

Affected Components

Note that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.

trivy binary and image

You are affected if you used: 1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM. 2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub. 3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.

You are not affected if you used: 1. trivy (binary or image) version v0.69.3 or earlier. 1. v0.69.3 is protected by GitHub's immutable releases feature (enabled March 3, before v0.69.3 was published). 2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see "How to Verify" section below). 2. trivy images referenced by digest. 4. trivy binaries built from source. 1. The malicious code was not committed to Trivy's main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed. 5. homebrew from official formula (brew install trivy) 1. The official homebrew formula is building trivy directly from source. 2. There's an additional custom trivy tap which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.

aquasecurity/trivy-action GitHub Action

You are affected if you used: 1. Any tags prior except 0.35.0 (0.0.1 – 0.34.2) to reference the action. 2. the action's version: latest parameter explicitly (not the default) during the trivy binary exposure window. 3. SHA pinning to a commit prior to 2025-04-09. 1. trivy-action started pinning setup-go with pull request trivy-action#456. If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.

You are not affected if you used: 1. 0.35.0 tag 1. 0.35.0 is protected by GitHub's immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack. 2. SHA pinning to a safe commit commit after 2025-04-09.

aquasecurity/setup-trivy GitHub Action

You are affected if you used: 1. Any version without pinning.

You are not affected if you used: 1. SHA pinning to a safe commit.

Attack Details

Root Cause

This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.

Trivy v0.69.4 binary and container images

The attacker created a malicious release by: 1. Pushing a commit (1885610c) that swapped the actions/checkout reference to an imposter commit (70379aad) containing a composite action that downloaded malicious Go source files from a typosquatted domain 2. Adding --skip=validate to goreleaser to bypass binary validation 3. Tagging this commit as v0.69.4, triggering the release pipeline

The compromised release was distributed across Trivy's regular distribution channels channels: GHCR, ECR Public, Docker Hub (both 0.69.4 and latest tags), deb/rpm packages, and get.trivy.dev.

The attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.

trivy-action tag hijacking

The attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into entrypoint.sh. The malicious code executes before the legitimate Trivy scan and does the following:

  1. Dumps Runner.Worker process memory via /proc/<pid>/mem to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, .env files, database credentials, and cryptocurrency wallets.
  2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.
  3. Transmits to attacker-controlled infrastructure. If exfiltration fails and INPUT_GITHUB_PAT is set, creates a public tpcp-docs repository on the victim's GitHub account and uploads stolen data as a release asset.

setup-trivy release replacement

All 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious action.yaml contained the same infostealer as trivy-action, injected as a "Setup environment" step that executes before the legitimate Trivy installation. We have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 – v0.2.5 were not restored.

Trivy v0.69.5 and v0.69.6 docker image published.

The attacker created aquasec/trivy:0.69.5 and aquasec/trivy:0.69.6 with the same C2 domain as the v0.69.4 payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed. We have removed all tags related to 0.69.5 and 0.69.6 and restored the latest tag to the safe 0.69.3 tag.

Recommended Actions

Update to Known-Safe Versions

Component Safe Version
Trivy binary v0.69.2, v0.69.3
trivy-action v0.35.0
setup-trivy v0.2.6

Regarding trivy-action: The original tags (0.0.10.34.2) were deleted during remediation. Because the attacker's force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a v prefix (v0.0.1v0.34.2) pointing to the original legitimate commits. Three tags: v0.0.10, v0.34.1, and v0.34.2 have not yet been restored. If you need to reference a version older than 0.35.0, use the v-prefixed tag (e.g., aquasecurity/trivy-action@v0.34.0 instead of @0.34.0).

Rotate All Potentially Exposed Secrets

Based on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.

Audit Trivy Versions

Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.

Audit GitHub Action References

Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Check workflow run logs from March 19–20, 2026 for signs of compromise.

Search for Exfiltration Artifacts

Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.

Pin GitHub Actions to Full SHA Hashes

Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

How to Verify Existing Installations

Binary verification

# Download binary and sigstore bundle
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz"
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json"

# Verify signature
$ cosign verify-blob \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \
  trivy_0.69.2_Linux-64bit.tar.gz
Verified OK

# Check signing timestamp
$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)
Sat Mar  1 19:11:02 UTC 2026
# ✅ Signed on Mar 1, before the attack on Mar 19

Container image verification

# Verify signature and get image digest
$ cosign verify \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --new-bundle-format \
  ghcr.io/aquasecurity/trivy:0.69.2
Verification for ghcr.io/aquasecurity/trivy:0.69.2 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

# Get digest and check all signing timestamps via Rekor
$ DIGEST=$(cosign verify \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2>/dev/null | \
  jq -r '.[0].critical.image."docker-manifest-digest"')

$ rekor-cli search --sha "$DIGEST" | grep -v 'Found' | while read uuid; do
    rekor-cli get --uuid "$uuid" | grep IntegratedTime
  done
IntegratedTime: 2026-03-01T19:13:52Z
IntegratedTime: 2026-03-01T19:13:47Z
IntegratedTime: 2026-03-01T19:13:57Z
IntegratedTime: 2026-03-01T19:13:54Z
IntegratedTime: 2026-03-01T19:13:46Z
IntegratedTime: 2026-03-01T19:13:37Z
# ✅ All signed on Mar 1, before the attack on Mar 19

Indicators of Compromise

Executable binaries

SHA256 Filename
c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239 trivy_0.69.4_FreeBSD_64bit.tar.gz
cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3 trivy_0.69.4_Linux-32bit.deb
55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80 trivy_0.69.4_Linux-32bit.rpm
ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76 trivy_0.69.4_Linux-32bit.tar.gz
0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311 trivy_0.69.4_Linux-64bit.deb
a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317 trivy_0.69.4_Linux-64bit.rpm
385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6 trivy_0.69.4_Linux-64bit.tar.gz
8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a trivy_0.69.4_Linux-ARM.deb
c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f trivy_0.69.4_Linux-ARM.rpm
f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332 trivy_0.69.4_Linux-ARM.tar.gz
9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70 trivy_0.69.4_Linux-ARM64.deb
451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0 trivy_0.69.4_Linux-ARM64.rpm
e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef trivy_0.69.4_Linux-ARM64.tar.gz
284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57 trivy_0.69.4_Linux-PPC64LE.deb
5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6 trivy_0.69.4_Linux-PPC64LE.rpm
52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857 trivy_0.69.4_Linux-PPC64LE.tar.gz
62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8 trivy_0.69.4_Linux-s390x.deb
107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd trivy_0.69.4_Linux-s390x.rpm
16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a trivy_0.69.4_Linux-s390x.tar.gz
90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad trivy_0.69.4_macOS-64bit.tar.gz
1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b trivy_0.69.4_macOS-ARM64.tar.gz
0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d trivy_0.69.4_windows_64bit.zip
822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 trivy_0.69.4_linux_amd64
e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf trivy_0.69.4_linux_arm64
d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c trivy_0.69.4_s390x
ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c trivy_0.69.4_ppc64le

Container images (v0.69.4)

Digest Tag
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3 0.69.4
sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2 0.69.4-linux/amd64
sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed 0.69.4-linux/arm64
sha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427 0.69.4-linux/ppc64le
sha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef 0.69.4- linux/s390x
sha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589 0.69.4-signature
sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b 0.69.5
sha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a 0.69.5-linux/arm64
sha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc 0.69.5-linux/ppc64le
sha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414 0.69.5-linux/s390x
sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33 0.69.6
sha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef 0.69.6-linux/amd64
sha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696 0.69.6-linux/arm64
sha256:9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593 0.69.6-linux/ppc64le
sha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07 0.69.6-linux/s390x

Network

C2/sinks: - scan.aquasecurtiy.org - 45.148.10.212

GitHub Repositories

Public repo on victim's GitHub account with tpcp-docs- prefix. Stolen data uploaded as a release asset with tag data-<timestamp>.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aquasecurity/trivy"
      },
      "versions": [
        "0.69.4"
      ]
    },
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "aquasecurity/trivy-action"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.35.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "aquasecurity/setup-trivy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T17:53:12Z",
    "nvd_published_at": "2026-03-23T22:16:31Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nOn March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.\nOn March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.\n\n## Exposure Window\n\n| Component     | Start (UTC)            | End (UTC)         | Duration  |\n| ------------- | ---------------------- | ----------------- | --------- |\n| trivy v0.69.4 | 2026-03-19 18:22 [^1]  | 2026-03-19 ~21:42 | ~3 hours  |\n| trivy-action  | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |\n| setup-trivy   | 2026-03-19 ~17:43 [^2] | 2026-03-19 ~21:44 | ~4 hours  |\n| dockerhub trivy images v0.69.5 and v0.69.6 | 2026-03-22 15:43  | 2026-03-23 ~01:40 | ~10 hours  |\n\n[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline.\n[^2]: Earliest suspicious activity observed in our audit log.\n## Affected Components\n\nNote that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.\n\n### `trivy` binary and image\n\nYou are affected if you used:\n1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM.\n2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub.\n3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.\n\nYou are not affected if you used:\n1. trivy (binary or image) version v0.69.3 or earlier.\n\t1. v0.69.3 is protected by GitHub\u0027s [immutable releases](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) feature (enabled March 3, before v0.69.3 was published).\n\t2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see \"How to Verify\" section below).\n2. trivy images referenced by digest.\n4. trivy binaries built from source.\n\t1. The malicious code was not committed to Trivy\u0027s main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed.\n5. homebrew from official formula (`brew install trivy`)\n\t1. The [official homebrew formula](https://github.com/Homebrew/homebrew-core/blob/785817ba05ed32eef15490bb105f67bd973aa7c2/Formula/t/trivy.rb) is building trivy directly from source.\n\t2. There\u0027s an additional custom [trivy tap](https://github.com/aquasecurity/homebrew-trivy) which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.\n\n### `aquasecurity/trivy-action` GitHub Action\n\nYou are affected if you used:\n1. Any tags prior except 0.35.0 (0.0.1 \u2013 0.34.2) to reference the action.\n2. the action\u0027s `version: latest` parameter explicitly (not the default) during the trivy binary exposure window.\n3. SHA pinning to a commit prior to 2025-04-09.\n\t1. trivy-action started pinning setup-go with pull request [trivy-action#456](https://github.com/aquasecurity/trivy-action/pull/456#event-17180670975). If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.\n\nYou are not affected if you used:\n1. 0.35.0 tag\n\t1. 0.35.0 is protected by GitHub\u0027s immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack.\n2. SHA pinning to a safe commit commit after 2025-04-09.\n\n### `aquasecurity/setup-trivy` GitHub Action\n\nYou are affected if you used:\n1. Any version without pinning.\n\nYou are not affected if you used:\n1. SHA pinning to a safe commit.\n\n## Attack Details\n\n### Root Cause\n\nThis incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.\n### Trivy v0.69.4 binary and container images\n\nThe attacker created a malicious release by:\n1. Pushing a commit (`1885610c`) that swapped the `actions/checkout` reference to an imposter commit (`70379aad`) containing a composite action that downloaded malicious Go source files from a typosquatted domain\n2. Adding `--skip=validate` to goreleaser to bypass binary validation\n3. Tagging this commit as `v0.69.4`, triggering the release pipeline\n\nThe compromised release was distributed across Trivy\u0027s regular distribution channels channels: GHCR, ECR Public, Docker Hub (both `0.69.4` and `latest` tags), deb/rpm packages, and `get.trivy.dev`.\n\nThe attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.\n### trivy-action tag hijacking\n\nThe attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into `entrypoint.sh`. The malicious code executes before the legitimate Trivy scan and does the following:\n\n1. Dumps `Runner.Worker` process memory via `/proc/\u003cpid\u003e/mem` to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, `.env` files, database credentials, and cryptocurrency wallets.\n2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.\n3. Transmits to attacker-controlled infrastructure. If exfiltration fails and `INPUT_GITHUB_PAT` is set, creates a public `tpcp-docs` repository on the victim\u0027s GitHub account and uploads stolen data as a release asset.\n\n### setup-trivy release replacement\n\nAll 7 existing tags (v0.2.0 \u2013 v0.2.6) were force-pushed to malicious commits. The malicious `action.yaml` contained the same infostealer as trivy-action, injected as a \"Setup environment\" step that executes before the legitimate Trivy installation. \nWe have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 \u2013 v0.2.5 were not restored.\n\n### Trivy v0.69.5 and v0.69.6 docker image published.\nThe attacker created `aquasec/trivy:0.69.5` and `aquasec/trivy:0.69.6` with the same C2 domain as the `v0.69.4` payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed.\nWe have removed all tags related to `0.69.5` and `0.69.6` and restored the latest tag to the safe `0.69.3` tag.\n\n## Recommended Actions\n\n### Update to Known-Safe Versions\n\n| Component    | Safe Version     |\n| ------------ | ---------------- |\n| Trivy binary | v0.69.2, v0.69.3 |\n| trivy-action | v0.35.0          |\n| setup-trivy  | v0.2.6           |\n\nRegarding trivy-action: The original tags (`0.0.1` \u2013 `0.34.2`) were deleted during remediation. Because the attacker\u0027s force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a `v` prefix (`v0.0.1` \u2013 `v0.34.2`) pointing to the original legitimate commits. Three tags: `v0.0.10`, `v0.34.1`, and `v0.34.2` have not yet been restored. If you need to reference a version older than 0.35.0, use the `v`-prefixed tag (e.g., `aquasecurity/trivy-action@v0.34.0` instead of `@0.34.0`). \n### Rotate All Potentially Exposed Secrets\n\nBased on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.\n### Audit Trivy Versions\nCheck whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.\n### Audit GitHub Action References\nReview all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Check workflow run logs from March 19\u201320, 2026 for signs of compromise.\n### Search for Exfiltration Artifacts\nLook for repositories named `tpcp-docs` in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.\n### Pin GitHub Actions to Full SHA Hashes\nPin GitHub Actions to full, immutable commit SHA hashes, don\u0027t use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions\n## How to Verify Existing Installations\n\n### Binary verification\n\n```bash\n# Download binary and sigstore bundle\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz\"\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json\"\n\n# Verify signature\n$ cosign verify-blob \\\n  --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n  --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n  --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \\\n  trivy_0.69.2_Linux-64bit.tar.gz\nVerified OK\n\n# Check signing timestamp\n$ date -u -d @$(jq -r \u0027.verificationMaterial.tlogEntries[].integratedTime\u0027 trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)\nSat Mar  1 19:11:02 UTC 2026\n# \u2705 Signed on Mar 1, before the attack on Mar 19\n```\n\n### Container image verification\n\n```bash\n# Verify signature and get image digest\n$ cosign verify \\\n  --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n  --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n  --new-bundle-format \\\n  ghcr.io/aquasecurity/trivy:0.69.2\nVerification for ghcr.io/aquasecurity/trivy:0.69.2 --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - Existence of the claims in the transparency log was verified offline\n  - The code-signing certificate was verified using trusted certificate authority certificates\n\n# Get digest and check all signing timestamps via Rekor\n$ DIGEST=$(cosign verify \\\n  --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n  --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n  --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2\u003e/dev/null | \\\n  jq -r \u0027.[0].critical.image.\"docker-manifest-digest\"\u0027)\n\n$ rekor-cli search --sha \"$DIGEST\" | grep -v \u0027Found\u0027 | while read uuid; do\n    rekor-cli get --uuid \"$uuid\" | grep IntegratedTime\n  done\nIntegratedTime: 2026-03-01T19:13:52Z\nIntegratedTime: 2026-03-01T19:13:47Z\nIntegratedTime: 2026-03-01T19:13:57Z\nIntegratedTime: 2026-03-01T19:13:54Z\nIntegratedTime: 2026-03-01T19:13:46Z\nIntegratedTime: 2026-03-01T19:13:37Z\n# \u2705 All signed on Mar 1, before the attack on Mar 19\n```\n\n\n## Indicators of Compromise\n\n### Executable binaries\n\n| SHA256                                                             | Filename                            |\n| ------------------------------------------------------------------ | ----------------------------------- |\n| `c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239` | `trivy_0.69.4_FreeBSD_64bit.tar.gz` |\n| `cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3` | `trivy_0.69.4_Linux-32bit.deb`      |\n| `55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80` | `trivy_0.69.4_Linux-32bit.rpm`      |\n| `ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76` | `trivy_0.69.4_Linux-32bit.tar.gz`   |\n| `0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311` | `trivy_0.69.4_Linux-64bit.deb`      |\n| `a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317` | `trivy_0.69.4_Linux-64bit.rpm`      |\n| `385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6` | `trivy_0.69.4_Linux-64bit.tar.gz`   |\n| `8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a` | `trivy_0.69.4_Linux-ARM.deb`        |\n| `c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f` | `trivy_0.69.4_Linux-ARM.rpm`        |\n| `f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332` | `trivy_0.69.4_Linux-ARM.tar.gz`     |\n| `9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70` | `trivy_0.69.4_Linux-ARM64.deb`      |\n| `451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0` | `trivy_0.69.4_Linux-ARM64.rpm`      |\n| `e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef` | `trivy_0.69.4_Linux-ARM64.tar.gz`   |\n| `284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57` | `trivy_0.69.4_Linux-PPC64LE.deb`    |\n| `5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6` | `trivy_0.69.4_Linux-PPC64LE.rpm`    |\n| `52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857` | `trivy_0.69.4_Linux-PPC64LE.tar.gz` |\n| `62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8` | `trivy_0.69.4_Linux-s390x.deb`      |\n| `107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd` | `trivy_0.69.4_Linux-s390x.rpm`      |\n| `16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a` | `trivy_0.69.4_Linux-s390x.tar.gz`   |\n| `90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad` | `trivy_0.69.4_macOS-64bit.tar.gz`   |\n| `1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b` | `trivy_0.69.4_macOS-ARM64.tar.gz`   |\n| `0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d` | `trivy_0.69.4_windows_64bit.zip`    |\n| `822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0` | `trivy_0.69.4_linux_amd64`          |\n| `e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf` | `trivy_0.69.4_linux_arm64`          |\n| `d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c` | `trivy_0.69.4_s390x`                |\n| `ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c` | `trivy_0.69.4_ppc64le`              |\n\n### Container images (v0.69.4)\n\n| Digest                                                                    | Tag                      |\n| ------------------------------------------------------------------------- | ------------------------ |\n| `sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3` | `0.69.4`                 |\n| `sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2` | `0.69.4-linux/amd64`     |\n| `sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed` | `0.69.4-linux/arm64`     |\n| `sha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427` | `0.69.4-linux/ppc64le`   |\n| `sha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef` | `0.69.4- linux/s390x`    |\n| `sha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589` | `0.69.4-signature`       |\n| `sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b` | `0.69.5`                 |\n| `sha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a` | `0.69.5-linux/arm64`\u003cbr\u003e |\n| `sha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc` | `0.69.5-linux/ppc64le`   |\n| `sha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414` | `0.69.5-linux/s390x`     |\n| `sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33` | `0.69.6`                 |\n| `sha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef` | `0.69.6-linux/amd64`     |\n| `sha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696` | `0.69.6-linux/arm64`     |\n| `sha256:9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593` | `0.69.6-linux/ppc64le`   |\n| `sha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07` | `0.69.6-linux/s390x`     |\n\n### Network\nC2/sinks:\n- `scan.aquasecurtiy.org`\n- `45.148.10.212`\n\n### GitHub Repositories\n\nPublic repo on victim\u0027s GitHub account with `tpcp-docs-` prefix.\nStolen data uploaded as a release asset with tag `data-\u003ctimestamp\u003e`.",
  "id": "GHSA-69fq-xp46-6x23",
  "modified": "2026-03-30T20:51:03Z",
  "published": "2026-03-24T17:53:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/issues/24518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387"
    },
    {
      "type": "WEB",
      "url": "https://docs.litellm.ai/blog/security-update-march-2026"
    },
    {
      "type": "WEB",
      "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aquasecurity/trivy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/discussions/10425"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml"
    },
    {
      "type": "WEB",
      "url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
    },
    {
      "type": "WEB",
      "url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
    },
    {
      "type": "WEB",
      "url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
    },
    {
      "type": "WEB",
      "url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise"
    },
    {
      "type": "WEB",
      "url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Trivy ecosystem supply chain was briefly compromised"
}

GHSA-69MF-2CW2-38M8

Vulnerability from github – Published: 2020-09-03 23:04 – Updated: 2021-09-30 17:13
VLAI
Summary
Malicious Package in js-shc3
Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-shc3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:53:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-69mf-2cw2-38m8",
  "modified": "2021-09-30T17:13:22Z",
  "published": "2020-09-03T23:04:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1286"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in js-shc3"
}

Mitigation
Implementation Operation

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

CAPEC-442: Infected Software

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

CAPEC-448: Embed Virus into DLL

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

CAPEC-636: Hiding Malicious Data or Code within Files

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.