CWE-506
Allowed-with-ReviewEmbedded Malicious Code
Abstraction: Class · Status: Incomplete
The product contains code that appears to be malicious in nature.
525 vulnerabilities reference this CWE, most recent first.
GHSA-657V-JJF8-83GH
Vulnerability from github – Published: 2020-09-03 23:14 – Updated: 2021-10-01 14:37Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsmsha3"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:54:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-657v-jjf8-83gh",
"modified": "2021-10-01T14:37:41Z",
"published": "2020-09-03T23:14:55Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in jsmsha3"
}
GHSA-6584-GFWM-3VC3
Vulnerability from github – Published: 2020-09-03 21:43 – Updated: 2021-09-29 20:54Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "budfer-xor"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:51:43Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-6584-gfwm-3vc3",
"modified": "2021-09-29T20:54:03Z",
"published": "2020-09-03T21:43:01Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1233"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in budfer-xor"
}
GHSA-658G-P7JG-WX5G
Vulnerability from github – Published: 2026-04-02 18:34 – Updated: 2026-04-06 23:41Impact
This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).
Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.
Potential impact includes:
- Execution of a malicious
postinstallscript - Remote Access Trojan (RAT) installation
- Exfiltration of credentials and sensitive data
Not impacted:
- Bruno desktop app users
- Users who installed outside the attack window
Patches
The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.
Additionally, Bruno has taken further hardening steps:
- Pinned
axiosto a known safe version to prevent accidental resolution to malicious releases - Fix implemented in: https://github.com/usebruno/bruno/pull/7632
Recommendation
If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:
For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.2.0"
},
"package": {
"ecosystem": "npm",
"name": "@usebruno/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34841"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-494",
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T18:34:04Z",
"nvd_published_at": "2026-04-06T17:17:10Z",
"severity": "CRITICAL"
},
"details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
"id": "GHSA-658g-p7jg-wx5g",
"modified": "2026-04-06T23:41:01Z",
"published": "2026-04-02T18:34:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34841"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/issues/10604"
},
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/pull/7632"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/usebruno/bruno"
},
{
"type": "WEB",
"url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli"
}
GHSA-65J7-66P7-9XGF
Vulnerability from github – Published: 2020-09-02 21:51 – Updated: 2021-09-30 21:59Version 1.2.2 of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "font-scrubber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:40:34Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 1.2.2 of `font-scrubber` contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-65j7-66p7-9xgf",
"modified": "2021-09-30T21:59:50Z",
"published": "2020-09-02T21:51:55Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/919"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in font-scrubber"
}
GHSA-674R-XX4C-GJ7X
Vulnerability from github – Published: 2020-09-03 17:04 – Updated: 2021-10-04 14:28All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sb58"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:58:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-674r-xx4c-gj7x",
"modified": "2021-10-04T14:28:19Z",
"published": "2020-09-03T17:04:05Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1406"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in sb58"
}
GHSA-67MP-PCV9-VVQ6
Vulnerability from github – Published: 2020-09-03 22:57 – Updated: 2021-09-30 16:35Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jr-sha3"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:53:33Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-67mp-pcv9-vvq6",
"modified": "2021-09-30T16:35:36Z",
"published": "2020-09-03T22:57:14Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in jr-sha3"
}
GHSA-6879-XR95-5GF4
Vulnerability from github – Published: 2020-09-03 17:20 – Updated: 2021-09-30 17:16All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder.
Recommendation
Remove the package from your environment and rotate affected credentials.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "malicious-do-not-install"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:45:05Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `malicious-do-not-install` contain malicious code. The package copies the contents of `/etc/passwd` and `/etc/shadow` to files in the local `/tmp/` folder.\n\n\n## Recommendation\n\nRemove the package from your environment and rotate affected credentials.",
"id": "GHSA-6879-xr95-5gf4",
"modified": "2021-09-30T17:16:35Z",
"published": "2020-09-03T17:20:15Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in malicious-do-not-install"
}
GHSA-692H-G37C-QV44
Vulnerability from github – Published: 2020-09-03 23:25 – Updated: 2021-10-01 16:15All versions of sj-tw-sec contain malicious code. The package downloads and runs a script that opens a reverse shell in the system.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sj-tw-sec"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:54:37Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `sj-tw-sec` contain malicious code. The package downloads and runs a script that opens a reverse shell in the system.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-692h-g37c-qv44",
"modified": "2021-10-01T16:15:23Z",
"published": "2020-09-03T23:25:30Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in sj-tw-sec"
}
GHSA-69FQ-XP46-6X23
Vulnerability from github – Published: 2026-03-24 17:53 – Updated: 2026-03-30 20:51Summary
On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits.
On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.
Exposure Window
| Component | Start (UTC) | End (UTC) | Duration |
|---|---|---|---|
| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |
| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |
| setup-trivy | 2026-03-19 ~17:43 [^2] | 2026-03-19 ~21:44 | ~4 hours |
| dockerhub trivy images v0.69.5 and v0.69.6 | 2026-03-22 15:43 | 2026-03-23 ~01:40 | ~10 hours |
[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline. [^2]: Earliest suspicious activity observed in our audit log.
Affected Components
Note that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.
trivy binary and image
You are affected if you used: 1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM. 2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub. 3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.
You are not affected if you used:
1. trivy (binary or image) version v0.69.3 or earlier.
1. v0.69.3 is protected by GitHub's immutable releases feature (enabled March 3, before v0.69.3 was published).
2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see "How to Verify" section below).
2. trivy images referenced by digest.
4. trivy binaries built from source.
1. The malicious code was not committed to Trivy's main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed.
5. homebrew from official formula (brew install trivy)
1. The official homebrew formula is building trivy directly from source.
2. There's an additional custom trivy tap which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.
aquasecurity/trivy-action GitHub Action
You are affected if you used:
1. Any tags prior except 0.35.0 (0.0.1 – 0.34.2) to reference the action.
2. the action's version: latest parameter explicitly (not the default) during the trivy binary exposure window.
3. SHA pinning to a commit prior to 2025-04-09.
1. trivy-action started pinning setup-go with pull request trivy-action#456. If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.
You are not affected if you used: 1. 0.35.0 tag 1. 0.35.0 is protected by GitHub's immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack. 2. SHA pinning to a safe commit commit after 2025-04-09.
aquasecurity/setup-trivy GitHub Action
You are affected if you used: 1. Any version without pinning.
You are not affected if you used: 1. SHA pinning to a safe commit.
Attack Details
Root Cause
This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.
Trivy v0.69.4 binary and container images
The attacker created a malicious release by:
1. Pushing a commit (1885610c) that swapped the actions/checkout reference to an imposter commit (70379aad) containing a composite action that downloaded malicious Go source files from a typosquatted domain
2. Adding --skip=validate to goreleaser to bypass binary validation
3. Tagging this commit as v0.69.4, triggering the release pipeline
The compromised release was distributed across Trivy's regular distribution channels channels: GHCR, ECR Public, Docker Hub (both 0.69.4 and latest tags), deb/rpm packages, and get.trivy.dev.
The attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.
trivy-action tag hijacking
The attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into entrypoint.sh. The malicious code executes before the legitimate Trivy scan and does the following:
- Dumps
Runner.Workerprocess memory via/proc/<pid>/memto extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs,.envfiles, database credentials, and cryptocurrency wallets. - Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.
- Transmits to attacker-controlled infrastructure. If exfiltration fails and
INPUT_GITHUB_PATis set, creates a publictpcp-docsrepository on the victim's GitHub account and uploads stolen data as a release asset.
setup-trivy release replacement
All 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious action.yaml contained the same infostealer as trivy-action, injected as a "Setup environment" step that executes before the legitimate Trivy installation.
We have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 – v0.2.5 were not restored.
Trivy v0.69.5 and v0.69.6 docker image published.
The attacker created aquasec/trivy:0.69.5 and aquasec/trivy:0.69.6 with the same C2 domain as the v0.69.4 payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed.
We have removed all tags related to 0.69.5 and 0.69.6 and restored the latest tag to the safe 0.69.3 tag.
Recommended Actions
Update to Known-Safe Versions
| Component | Safe Version |
|---|---|
| Trivy binary | v0.69.2, v0.69.3 |
| trivy-action | v0.35.0 |
| setup-trivy | v0.2.6 |
Regarding trivy-action: The original tags (0.0.1 – 0.34.2) were deleted during remediation. Because the attacker's force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a v prefix (v0.0.1 – v0.34.2) pointing to the original legitimate commits. Three tags: v0.0.10, v0.34.1, and v0.34.2 have not yet been restored. If you need to reference a version older than 0.35.0, use the v-prefixed tag (e.g., aquasecurity/trivy-action@v0.34.0 instead of @0.34.0).
Rotate All Potentially Exposed Secrets
Based on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.
Audit Trivy Versions
Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.
Audit GitHub Action References
Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Check workflow run logs from March 19–20, 2026 for signs of compromise.
Search for Exfiltration Artifacts
Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.
Pin GitHub Actions to Full SHA Hashes
Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
How to Verify Existing Installations
Binary verification
# Download binary and sigstore bundle
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz"
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json"
# Verify signature
$ cosign verify-blob \
--certificate-identity-regexp 'https://github\.com/aquasecurity/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \
trivy_0.69.2_Linux-64bit.tar.gz
Verified OK
# Check signing timestamp
$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)
Sat Mar 1 19:11:02 UTC 2026
# ✅ Signed on Mar 1, before the attack on Mar 19
Container image verification
# Verify signature and get image digest
$ cosign verify \
--certificate-identity-regexp 'https://github\.com/aquasecurity/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--new-bundle-format \
ghcr.io/aquasecurity/trivy:0.69.2
Verification for ghcr.io/aquasecurity/trivy:0.69.2 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
# Get digest and check all signing timestamps via Rekor
$ DIGEST=$(cosign verify \
--certificate-identity-regexp 'https://github\.com/aquasecurity/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2>/dev/null | \
jq -r '.[0].critical.image."docker-manifest-digest"')
$ rekor-cli search --sha "$DIGEST" | grep -v 'Found' | while read uuid; do
rekor-cli get --uuid "$uuid" | grep IntegratedTime
done
IntegratedTime: 2026-03-01T19:13:52Z
IntegratedTime: 2026-03-01T19:13:47Z
IntegratedTime: 2026-03-01T19:13:57Z
IntegratedTime: 2026-03-01T19:13:54Z
IntegratedTime: 2026-03-01T19:13:46Z
IntegratedTime: 2026-03-01T19:13:37Z
# ✅ All signed on Mar 1, before the attack on Mar 19
Indicators of Compromise
Executable binaries
| SHA256 | Filename |
|---|---|
c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239 |
trivy_0.69.4_FreeBSD_64bit.tar.gz |
cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3 |
trivy_0.69.4_Linux-32bit.deb |
55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80 |
trivy_0.69.4_Linux-32bit.rpm |
ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76 |
trivy_0.69.4_Linux-32bit.tar.gz |
0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311 |
trivy_0.69.4_Linux-64bit.deb |
a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317 |
trivy_0.69.4_Linux-64bit.rpm |
385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6 |
trivy_0.69.4_Linux-64bit.tar.gz |
8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a |
trivy_0.69.4_Linux-ARM.deb |
c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f |
trivy_0.69.4_Linux-ARM.rpm |
f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332 |
trivy_0.69.4_Linux-ARM.tar.gz |
9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70 |
trivy_0.69.4_Linux-ARM64.deb |
451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0 |
trivy_0.69.4_Linux-ARM64.rpm |
e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef |
trivy_0.69.4_Linux-ARM64.tar.gz |
284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57 |
trivy_0.69.4_Linux-PPC64LE.deb |
5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6 |
trivy_0.69.4_Linux-PPC64LE.rpm |
52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857 |
trivy_0.69.4_Linux-PPC64LE.tar.gz |
62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8 |
trivy_0.69.4_Linux-s390x.deb |
107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd |
trivy_0.69.4_Linux-s390x.rpm |
16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a |
trivy_0.69.4_Linux-s390x.tar.gz |
90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad |
trivy_0.69.4_macOS-64bit.tar.gz |
1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b |
trivy_0.69.4_macOS-ARM64.tar.gz |
0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d |
trivy_0.69.4_windows_64bit.zip |
822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 |
trivy_0.69.4_linux_amd64 |
e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf |
trivy_0.69.4_linux_arm64 |
d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c |
trivy_0.69.4_s390x |
ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c |
trivy_0.69.4_ppc64le |
Container images (v0.69.4)
| Digest | Tag |
|---|---|
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3 |
0.69.4 |
sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2 |
0.69.4-linux/amd64 |
sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed |
0.69.4-linux/arm64 |
sha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427 |
0.69.4-linux/ppc64le |
sha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef |
0.69.4- linux/s390x |
sha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589 |
0.69.4-signature |
sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b |
0.69.5 |
sha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a |
0.69.5-linux/arm64 |
sha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc |
0.69.5-linux/ppc64le |
sha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414 |
0.69.5-linux/s390x |
sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33 |
0.69.6 |
sha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef |
0.69.6-linux/amd64 |
sha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696 |
0.69.6-linux/arm64 |
sha256:9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593 |
0.69.6-linux/ppc64le |
sha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07 |
0.69.6-linux/s390x |
Network
C2/sinks:
- scan.aquasecurtiy.org
- 45.148.10.212
GitHub Repositories
Public repo on victim's GitHub account with tpcp-docs- prefix.
Stolen data uploaded as a release asset with tag data-<timestamp>.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/aquasecurity/trivy"
},
"versions": [
"0.69.4"
]
},
{
"package": {
"ecosystem": "GitHub Actions",
"name": "aquasecurity/trivy-action"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.35.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "GitHub Actions",
"name": "aquasecurity/setup-trivy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33634"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T17:53:12Z",
"nvd_published_at": "2026-03-23T22:16:31Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nOn March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.\nOn March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.\n\n## Exposure Window\n\n| Component | Start (UTC) | End (UTC) | Duration |\n| ------------- | ---------------------- | ----------------- | --------- |\n| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |\n| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |\n| setup-trivy | 2026-03-19 ~17:43 [^2] | 2026-03-19 ~21:44 | ~4 hours |\n| dockerhub trivy images v0.69.5 and v0.69.6 | 2026-03-22 15:43 | 2026-03-23 ~01:40 | ~10 hours |\n\n[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline.\n[^2]: Earliest suspicious activity observed in our audit log.\n## Affected Components\n\nNote that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.\n\n### `trivy` binary and image\n\nYou are affected if you used:\n1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM.\n2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub.\n3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.\n\nYou are not affected if you used:\n1. trivy (binary or image) version v0.69.3 or earlier.\n\t1. v0.69.3 is protected by GitHub\u0027s [immutable releases](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) feature (enabled March 3, before v0.69.3 was published).\n\t2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see \"How to Verify\" section below).\n2. trivy images referenced by digest.\n4. trivy binaries built from source.\n\t1. The malicious code was not committed to Trivy\u0027s main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed.\n5. homebrew from official formula (`brew install trivy`)\n\t1. The [official homebrew formula](https://github.com/Homebrew/homebrew-core/blob/785817ba05ed32eef15490bb105f67bd973aa7c2/Formula/t/trivy.rb) is building trivy directly from source.\n\t2. There\u0027s an additional custom [trivy tap](https://github.com/aquasecurity/homebrew-trivy) which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.\n\n### `aquasecurity/trivy-action` GitHub Action\n\nYou are affected if you used:\n1. Any tags prior except 0.35.0 (0.0.1 \u2013 0.34.2) to reference the action.\n2. the action\u0027s `version: latest` parameter explicitly (not the default) during the trivy binary exposure window.\n3. SHA pinning to a commit prior to 2025-04-09.\n\t1. trivy-action started pinning setup-go with pull request [trivy-action#456](https://github.com/aquasecurity/trivy-action/pull/456#event-17180670975). If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.\n\nYou are not affected if you used:\n1. 0.35.0 tag\n\t1. 0.35.0 is protected by GitHub\u0027s immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack.\n2. SHA pinning to a safe commit commit after 2025-04-09.\n\n### `aquasecurity/setup-trivy` GitHub Action\n\nYou are affected if you used:\n1. Any version without pinning.\n\nYou are not affected if you used:\n1. SHA pinning to a safe commit.\n\n## Attack Details\n\n### Root Cause\n\nThis incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.\n### Trivy v0.69.4 binary and container images\n\nThe attacker created a malicious release by:\n1. Pushing a commit (`1885610c`) that swapped the `actions/checkout` reference to an imposter commit (`70379aad`) containing a composite action that downloaded malicious Go source files from a typosquatted domain\n2. Adding `--skip=validate` to goreleaser to bypass binary validation\n3. Tagging this commit as `v0.69.4`, triggering the release pipeline\n\nThe compromised release was distributed across Trivy\u0027s regular distribution channels channels: GHCR, ECR Public, Docker Hub (both `0.69.4` and `latest` tags), deb/rpm packages, and `get.trivy.dev`.\n\nThe attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.\n### trivy-action tag hijacking\n\nThe attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into `entrypoint.sh`. The malicious code executes before the legitimate Trivy scan and does the following:\n\n1. Dumps `Runner.Worker` process memory via `/proc/\u003cpid\u003e/mem` to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, `.env` files, database credentials, and cryptocurrency wallets.\n2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.\n3. Transmits to attacker-controlled infrastructure. If exfiltration fails and `INPUT_GITHUB_PAT` is set, creates a public `tpcp-docs` repository on the victim\u0027s GitHub account and uploads stolen data as a release asset.\n\n### setup-trivy release replacement\n\nAll 7 existing tags (v0.2.0 \u2013 v0.2.6) were force-pushed to malicious commits. The malicious `action.yaml` contained the same infostealer as trivy-action, injected as a \"Setup environment\" step that executes before the legitimate Trivy installation. \nWe have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 \u2013 v0.2.5 were not restored.\n\n### Trivy v0.69.5 and v0.69.6 docker image published.\nThe attacker created `aquasec/trivy:0.69.5` and `aquasec/trivy:0.69.6` with the same C2 domain as the `v0.69.4` payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed.\nWe have removed all tags related to `0.69.5` and `0.69.6` and restored the latest tag to the safe `0.69.3` tag.\n\n## Recommended Actions\n\n### Update to Known-Safe Versions\n\n| Component | Safe Version |\n| ------------ | ---------------- |\n| Trivy binary | v0.69.2, v0.69.3 |\n| trivy-action | v0.35.0 |\n| setup-trivy | v0.2.6 |\n\nRegarding trivy-action: The original tags (`0.0.1` \u2013 `0.34.2`) were deleted during remediation. Because the attacker\u0027s force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a `v` prefix (`v0.0.1` \u2013 `v0.34.2`) pointing to the original legitimate commits. Three tags: `v0.0.10`, `v0.34.1`, and `v0.34.2` have not yet been restored. If you need to reference a version older than 0.35.0, use the `v`-prefixed tag (e.g., `aquasecurity/trivy-action@v0.34.0` instead of `@0.34.0`). \n### Rotate All Potentially Exposed Secrets\n\nBased on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.\n### Audit Trivy Versions\nCheck whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.\n### Audit GitHub Action References\nReview all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Check workflow run logs from March 19\u201320, 2026 for signs of compromise.\n### Search for Exfiltration Artifacts\nLook for repositories named `tpcp-docs` in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.\n### Pin GitHub Actions to Full SHA Hashes\nPin GitHub Actions to full, immutable commit SHA hashes, don\u0027t use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions\n## How to Verify Existing Installations\n\n### Binary verification\n\n```bash\n# Download binary and sigstore bundle\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz\"\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json\"\n\n# Verify signature\n$ cosign verify-blob \\\n --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \\\n trivy_0.69.2_Linux-64bit.tar.gz\nVerified OK\n\n# Check signing timestamp\n$ date -u -d @$(jq -r \u0027.verificationMaterial.tlogEntries[].integratedTime\u0027 trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)\nSat Mar 1 19:11:02 UTC 2026\n# \u2705 Signed on Mar 1, before the attack on Mar 19\n```\n\n### Container image verification\n\n```bash\n# Verify signature and get image digest\n$ cosign verify \\\n --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n --new-bundle-format \\\n ghcr.io/aquasecurity/trivy:0.69.2\nVerification for ghcr.io/aquasecurity/trivy:0.69.2 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority certificates\n\n# Get digest and check all signing timestamps via Rekor\n$ DIGEST=$(cosign verify \\\n --certificate-identity-regexp \u0027https://github\\.com/aquasecurity/\u0027 \\\n --certificate-oidc-issuer \u0027https://token.actions.githubusercontent.com\u0027 \\\n --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2\u003e/dev/null | \\\n jq -r \u0027.[0].critical.image.\"docker-manifest-digest\"\u0027)\n\n$ rekor-cli search --sha \"$DIGEST\" | grep -v \u0027Found\u0027 | while read uuid; do\n rekor-cli get --uuid \"$uuid\" | grep IntegratedTime\n done\nIntegratedTime: 2026-03-01T19:13:52Z\nIntegratedTime: 2026-03-01T19:13:47Z\nIntegratedTime: 2026-03-01T19:13:57Z\nIntegratedTime: 2026-03-01T19:13:54Z\nIntegratedTime: 2026-03-01T19:13:46Z\nIntegratedTime: 2026-03-01T19:13:37Z\n# \u2705 All signed on Mar 1, before the attack on Mar 19\n```\n\n\n## Indicators of Compromise\n\n### Executable binaries\n\n| SHA256 | Filename |\n| ------------------------------------------------------------------ | ----------------------------------- |\n| `c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239` | `trivy_0.69.4_FreeBSD_64bit.tar.gz` |\n| `cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3` | `trivy_0.69.4_Linux-32bit.deb` |\n| `55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80` | `trivy_0.69.4_Linux-32bit.rpm` |\n| `ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76` | `trivy_0.69.4_Linux-32bit.tar.gz` |\n| `0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311` | `trivy_0.69.4_Linux-64bit.deb` |\n| `a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317` | `trivy_0.69.4_Linux-64bit.rpm` |\n| `385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6` | `trivy_0.69.4_Linux-64bit.tar.gz` |\n| `8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a` | `trivy_0.69.4_Linux-ARM.deb` |\n| `c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f` | `trivy_0.69.4_Linux-ARM.rpm` |\n| `f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332` | `trivy_0.69.4_Linux-ARM.tar.gz` |\n| `9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70` | `trivy_0.69.4_Linux-ARM64.deb` |\n| `451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0` | `trivy_0.69.4_Linux-ARM64.rpm` |\n| `e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef` | `trivy_0.69.4_Linux-ARM64.tar.gz` |\n| `284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57` | `trivy_0.69.4_Linux-PPC64LE.deb` |\n| `5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6` | `trivy_0.69.4_Linux-PPC64LE.rpm` |\n| `52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857` | `trivy_0.69.4_Linux-PPC64LE.tar.gz` |\n| `62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8` | `trivy_0.69.4_Linux-s390x.deb` |\n| `107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd` | `trivy_0.69.4_Linux-s390x.rpm` |\n| `16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a` | `trivy_0.69.4_Linux-s390x.tar.gz` |\n| `90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad` | `trivy_0.69.4_macOS-64bit.tar.gz` |\n| `1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b` | `trivy_0.69.4_macOS-ARM64.tar.gz` |\n| `0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d` | `trivy_0.69.4_windows_64bit.zip` |\n| `822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0` | `trivy_0.69.4_linux_amd64` |\n| `e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf` | `trivy_0.69.4_linux_arm64` |\n| `d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c` | `trivy_0.69.4_s390x` |\n| `ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c` | `trivy_0.69.4_ppc64le` |\n\n### Container images (v0.69.4)\n\n| Digest | Tag |\n| ------------------------------------------------------------------------- | ------------------------ |\n| `sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3` | `0.69.4` |\n| `sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2` | `0.69.4-linux/amd64` |\n| `sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed` | `0.69.4-linux/arm64` |\n| `sha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427` | `0.69.4-linux/ppc64le` |\n| `sha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef` | `0.69.4- linux/s390x` |\n| `sha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589` | `0.69.4-signature` |\n| `sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b` | `0.69.5` |\n| `sha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a` | `0.69.5-linux/arm64`\u003cbr\u003e |\n| `sha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc` | `0.69.5-linux/ppc64le` |\n| `sha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414` | `0.69.5-linux/s390x` |\n| `sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33` | `0.69.6` |\n| `sha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef` | `0.69.6-linux/amd64` |\n| `sha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696` | `0.69.6-linux/arm64` |\n| `sha256:9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593` | `0.69.6-linux/ppc64le` |\n| `sha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07` | `0.69.6-linux/s390x` |\n\n### Network\nC2/sinks:\n- `scan.aquasecurtiy.org`\n- `45.148.10.212`\n\n### GitHub Repositories\n\nPublic repo on victim\u0027s GitHub account with `tpcp-docs-` prefix.\nStolen data uploaded as a release asset with tag `data-\u003ctimestamp\u003e`.",
"id": "GHSA-69fq-xp46-6x23",
"modified": "2026-03-30T20:51:03Z",
"published": "2026-03-24T17:53:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
},
{
"type": "WEB",
"url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33634"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/issues/24518"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387"
},
{
"type": "WEB",
"url": "https://docs.litellm.ai/blog/security-update-march-2026"
},
{
"type": "WEB",
"url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack"
},
{
"type": "PACKAGE",
"url": "https://github.com/aquasecurity/trivy"
},
{
"type": "WEB",
"url": "https://github.com/aquasecurity/trivy/discussions/10425"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml"
},
{
"type": "WEB",
"url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
},
{
"type": "WEB",
"url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
},
{
"type": "WEB",
"url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
},
{
"type": "WEB",
"url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise"
},
{
"type": "WEB",
"url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Trivy ecosystem supply chain was briefly compromised"
}
GHSA-69MF-2CW2-38M8
Vulnerability from github – Published: 2020-09-03 23:04 – Updated: 2021-09-30 17:13Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-shc3"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:53:49Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-69mf-2cw2-38m8",
"modified": "2021-09-30T17:13:22Z",
"published": "2020-09-03T23:04:40Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in js-shc3"
}
Mitigation
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.