Hackers compromised virtually every version of Aqua Security's Trivy vulnerability scanner in a supply chain attack that began Thursday, forcing malicious code into 75 of the tool's GitHub action tags. The attackers used stolen credentials to force-push compromised versions that silently exfiltrate GitHub tokens, cloud credentials, SSH keys, and Kubernetes secrets from any CI/CD pipeline running the scanner. Only version @0.35.0 remains unaffected, while popular tags like @0.34.2, @0.33, and @0.18.0 are all compromised.
This hits AI development particularly hard because Trivy's 33,200 GitHub stars reflect its widespread adoption in ML pipelines where teams scan container images and code for vulnerabilities before deployment. Every AI team using automated scanning—which is most production teams—potentially had their secrets harvested and encrypted before being sent to attacker-controlled servers. The malware runs in parallel with legitimate Trivy operations, making detection nearly impossible during normal pipeline execution.
Socket and Wiz's analysis reveals the attack's sophistication: the malware adapts its behavior based on environment, writing Python droppers for persistence on developer machines and using multiple exfiltration methods including a backup that creates fake GitHub repositories when primary channels fail. The compromise traces back to a separate attack on Aqua's VS Code extension last month, suggesting coordinated targeting of the security toolchain that AI developers rely on.
If you're running AI infrastructure, assume your secrets are compromised and rotate everything immediately. Check your pipeline logs for any Trivy scans since Thursday and audit what credentials those environments had access to. This attack demonstrates how supply chain compromises can silently harvest the exact secrets that protect your AI models and training data—making it potentially more damaging than typical malware that just disrupts operations.