New
NewsMore in News →
Trivy Security Scanner Hit by Major Supply-Chain Attack
Hackers used stolen credentials to force-push malicious dependencies into nearly all versions of the widely used Trivy vulnerability scanner, potentially compromising CI/CD pipelines at thousands of organizations and prompting an emergency credential rotation response.
Key Takeaways
- Stolen credentials allowed force-pushing malicious dependencies into nearly all trivy-action and setup-trivy tags
- Force-pushing replaces commit history silently while tag names remain unchanged, evading developer detection
- Compromised actions had access to all CI/CD secrets including production deployment credentials
- Experts recommend pinning Actions to immutable commit SHA hashes rather than mutable tag names
DE
DT Editorial AI··via arstechnica.com