Key Points:

• A new Trivy supply chain attack compromised GitHub Action tags, allowing attackers to harvest credentials and execute malicious code across downstream CI/CD pipelines.
• The attack chained credential theft into propagation, using stolen tokens to impersonate developers and spread malicious packages through normal build and package installation workflows.
• IANS Faculty warn this reflects a broader shift toward self-propagating supply chain attacks, where identity compromise and automation allow threats to spread rapidly and persist across modern development environments.

Trivy Supply Chain Attack

A supply chain attack targeting Trivy -- an open-source vulnerability scanner maintained by Aqua Security -- has triggered a cascading compromise across CI/CD environments.

Between March 19-21, attackers used a compromised credential to force-push malicious code to Trivy GitHub Action tags and related pipeline integrations. Those compromised artifacts moved through trusted channels and executed inside downstream pipelines. During that period, CI/CD runners exposed credentials, tokens, and other secrets as the malicious code harvested and exfiltrated sensitive data.

Once executed, the malware used package installation workflows and CI/CD automation to spread. Using stolen tokens, attackers were able to impersonate legitimate publishers and push malicious packages, allowing the campaign to move across repositories and pipelines without direct attacker involvement. This effectively turned normal development activity into a propagation mechanism.

"Adversaries picked up on the fact that security capabilities have a lot of access in environments, which means that they're now pretty heavy targets." Shannon Lietz, IANS Faculty

Big Picture

Threat actors are leveling up their supply chain attacks. By combining a trusted security tool compromise with worm-like propagation and token hijacking, attackers turned trusted CI/CD workflows and package ecosystems into an easy channel for distributing malware.

"The adversaries are clearly evolving. This is such a classic example of what's old is new, but in a completely different form." Dave Shackleford, IANS Faculty

In this case, attackers didn’t just compromise code, they compromised identity. By stealing npm publishing tokens, they could act as legitimate developers and push malicious packages outward, accelerating spread and increasing blast radius.

"This is the tip of the iceberg. I think this stuff is likely all over the place right now and this is a whole different model of supply chain compromise. This is fundamentally tied to a security-oriented package - something people are using to ostensibly help improve security." Dave Shackleford, IANS Faculty

Worms are back... with JavaScript in the house at this point, you might want to start thinking about what that's going to mean in your environment." Shannon Lietz, IANS Faculty

Taken together, the incident highlights a durable shift in adversary behavior. Supply‑chain attacks are becoming faster, more automated, and more identity‑driven -- and security tooling itself is increasingly part of the attack surface. For defenders, this raises uncomfortable questions about how much trust is embedded in build pipelines, package managers, and developer credentials, and how quickly that trust can be abused.

Unfortunately, there is little to suggest this approach will remain a one‑off. As attackers continue to refine these techniques, organizations should expect to see more supply‑chain compromises that spread quietly, move quickly, and exploit the same systems teams rely on to build and secure software.

IANS Faculty Recommendations

• Rotate exposed credentials immediately: Treat all secrets accessible to CI/CD runners executing Trivy between March 19–21 as compromised. Rotate cloud credentials, API tokens, SSH keys, and service account secrets without delay.
• Pin dependencies to immutable SHAs: Lock Trivy and GitHub Actions to verified commit SHA hashes. Avoid version tags that can be silently altered.
• Hunt for propagation artifacts: Inspect package.json files and pipeline scripts for unauthorized changes or post-install execution paths linked to worm behavior.
• Reduce token exposure: Eliminate long-lived npm and CI tokens. Assume token compromise enables attacker impersonation and downstream spread.
• Isolate developer environments: Move high-risk development activities, including AI-assisted coding, into VMs or isolated environments to limit infection paths.
• Expand supply chain monitoring: Continuously track dependencies, including transitive packages and pipeline-integrated tools. Prepare for rapid identification of malicious propagation patterns.

Authors & Contributors

Hayley Starshak - Author

Dave Shackleford, IANS Faculty

Shannon Lietz, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News and blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.