CISA KEV: Trivy Supply Chain Attack - Credential Theft
Summary
CISA has added a vulnerability to its Known Exploited Vulnerabilities (KEV) catalog related to a March 19, 2026, supply chain attack on Trivy. A threat actor used compromised credentials to publish malicious versions of Trivy and its GitHub Actions, impacting users who pulled affected artifacts.
What changed
CISA has identified and cataloged a critical supply chain attack impacting the Trivy security scanner and its associated GitHub Actions. On March 19, 2026, threat actors exploited compromised credentials to publish malicious versions of Trivy (v0.69.4) and inject malware into aquasecurity/trivy-action (versions 0.0.1 – 0.34.2) and aquasecurity/setup-trivy (versions 0.2.0 – 0.2.6). This incident is a continuation of a prior attack where credential rotation was not atomic, allowing continued access.
Organizations that have pulled or executed Trivy v0.69.4 or used affected versions of the GitHub Actions must immediately treat all secrets accessible to affected pipelines as exposed and rotate them. Review workflow run logs for signs of compromise, especially if version tags were used instead of commit SHAs. It is critical to pin GitHub Actions to immutable commit SHAs to prevent similar attacks. Any affected artifacts should be removed immediately, and repositories named tpcp-docs should be investigated as a potential indicator of successful exfiltration.
What to do next
- Treat all secrets accessible to affected pipelines as exposed and rotate them immediately if there is any possibility a compromised version ran in your environment.
- Check whether your organization pulled or executed Trivy v0.69.4 from any source and remove any affected artifacts.
- Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`, checking logs for signs of compromise if version tags were referenced.
- Pin GitHub Actions to full, immutable commit SHA hashes instead of using mutable version tags.
Source document (simplified)
Required CVE Record Information
CNA: GitHub (maintainer security advisories)
Description
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the aquasecurity/trivy Go / Container image version 0.69.4, the aquasecurity/trivy-action GitHub Action versions 0.0.1 – 0.34.2 (76/77), and theaquasecurity/setup-trivy GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named tpcp-docs in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
CWE 1 Total
Learn more
- CWE-506: CWE-506: Embedded Malicious Code
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.4 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Product Status
Learn more Versions 1 Total
Default Status: unknown
affected
- affected at < 0.2.6 Versions 1 Total
Default Status: unknown
affected
- affected at < 0.35.0 Versions 1 Total
Default Status: unknown
affected
- affected at = 0.69.4 Versions 1 Total
Default Status: unknown
affected
- affected at >= 1.82.7, <= 1.82.8
References 9 Total
- github.com: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
- github.com: https://github.com/BerriAI/litellm/issues/24518
- docs.litellm.ai: https://docs.litellm.ai/blog/security-update-march-2026
- futuresearch.ai: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack
- github.com: https://github.com/aquasecurity/trivy/discussions/10425
- github.com: https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml
- inspector.pypi.io: https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130
- inspector.pypi.io: https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1
- wiz.io: https://www.wiz.io/blog/teampcp-attack-kics-github-action
Authorized Data Publishers
CISA-ADP
Updated:
2026-03-27
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-03-24 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634 (2026-03-26)
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.