Priya Menon Supply chain security reporter · Updated May 18, 2026, 11:06 AM EDT
CVE-2026-33634 turned trusted Trivy releases and GitHub Actions into credential-stealing malware inside CI/CD pipelines and developer environments.
A trusted vulnerability scanner became the attack path in CVE-2026-33634, a high-impact Trivy vulnerability that turned parts of Aqua Security’s open-source Trivy ecosystem into credential-stealing malware inside CI/CD pipelines and developer environments.
The incident, centered on malicious Trivy releases and poisoned GitHub Actions on March 19, 2026, shows why CI/CD security now depends not only on scanning application code, but also on proving the integrity of the tools doing the scanning. The flaw has been classified as CWE-506: Embedded Malicious Code, with a CVSS 8.8 High severity rating.
This was not a conventional scanner bug. It was a supply chain attack against trusted developer tooling. Attackers used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing commits, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. On March 22, malicious Docker Hub images tagged 0.69.5 and 0.69.6 were also published before being removed.
The danger was simple and severe: Trivy often runs inside automated build and deployment workflows, where secrets are concentrated. A compromised scanner can reach cloud credentials, GitHub tokens, SSH keys, Kubernetes tokens, Docker configuration files, database passwords, TLS keys, package publishing tokens and sensitive in-memory configuration.
B
CI/CD workflows run trusted-looking scanner
Malware executes before legitimate scan
Secrets harvested from env vars, memory and files
Encrypted archive created
Exfiltration to attacker infrastructure
Normal Trivy scan continues
Compromised credentials] --> B[Poisoned Trivy release and GitHub Action tags
The exposure windows were short but consequential. The malicious Trivy v0.69.4 release was available for roughly three hours on March 19, from about 18:22 UTC to 21:42 UTC. The compromised trivy-action tags were exposed for about 12 hours, from roughly 17:43 UTC on March 19 to 05:40 UTC on March 20. The setup-trivy compromise lasted about four hours, while the later malicious Docker Hub images were exposed for about 10 hours from March 22 into March 23.
In ordinary application security, a vulnerable component may expose one application or service. Developer tools can expose the factory. Build pipelines frequently hold privileged credentials for source repositories, container registries, cloud accounts, package registries and deployment systems. That makes a compromised CI/CD scanner more dangerous than many production bugs: it may not need to exploit production directly if it can steal the credentials that build, publish and deploy production.
The attack also exploited a familiar weakness in software delivery: mutable tags. Many workflows reference third-party GitHub Actions by version tag, such as @0.34.0, rather than by a full commit SHA. When attackers force-pushed trusted tags to malicious commits, downstream workflows could run attacker-controlled code without any visible change to the workflow file.
The malicious action payload executed before the legitimate Trivy scan logic, then allowed the scan to continue. That meant CI jobs could appear successful while secrets were collected in the background. The malware inspected runner processes, searched environment variables and swept more than 50 filesystem locations for sensitive material, including AWS, Google Cloud and Azure credentials, Kubernetes secrets, SSH keys, Docker configs, .env files, database credentials, shell histories, TLS private keys and VPN configurations.
The stolen data was bundled into an encrypted archive named tpcp.tar.gz and sent to attacker-controlled infrastructure. One exfiltration path used the typosquatted domain scan.aquasecurtiy[.]org. If that failed and a suitable personal access token was available, the malware could create a public GitHub repository named tpcp-docs in the victim’s account and upload the stolen material there.
Component
Affected versions or condition
Known safe version
Trivy binary/container
v0.69.4; Docker Hub images 0.69.5 and 0.69.6
v0.69.2, v0.69.3
aquasecurity/trivy-action
0.0.1 through 0.34.2 affected by poisoned tags
v0.35.0
aquasecurity/setup-trivy
0.2.0 through 0.2.6 before safe recreation
Recreated safe v0.2.6
The U.S. cybersecurity agency added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog on March 26, 2026, under the name “Aquasecurity Trivy Embedded Malicious Code Vulnerability.” Federal civilian agencies were given a remediation deadline of April 9, 2026. The catalog entry warned that the flaw could allow access to “everything in the CI/CD environment,” including tokens, SSH keys, cloud credentials, database passwords and sensitive configuration in memory.
That KEV listing matters because it places the issue in the category of known exploited vulnerabilities, not theoretical risk. It also widens the lesson beyond Trivy: security tools, scanners, build actions and package managers are now frontline supply chain targets.
For CI/CD operators, the response should start with exposure assessment. Teams should search workflow history for aquasecurity/trivy-action and aquasecurity/setup-trivy runs during the March 19–20 windows, especially where workflows referenced version tags instead of pinned commit SHAs. They should also check whether any runner, developer workstation, container cache or internal mirror pulled or executed Trivy v0.69.4, or Docker Hub images tagged 0.69.5 or 0.69.6.
Any organization that may have run a compromised component should treat accessible secrets as exposed. That means rotating cloud keys, GitHub tokens, personal access tokens, SSH keys, Kubernetes tokens, container registry credentials, package publishing tokens, database credentials, TLS private keys, VPN credentials and environment secrets. Teams should also hunt for outbound traffic to known attacker infrastructure and search GitHub organizations for unexpected repositories named tpcp-docs or similar variants.
On developer machines where the malicious Trivy binary may have run outside GitHub Actions, operators should inspect for persistence artifacts such as:
~/.config/systemd/user/sysmon.py
Longer term, the defensive lesson is clear. CI/CD systems should pin third-party actions to full commit SHAs, restrict which external actions can run, use least-privilege tokens, avoid injecting broad secrets into environment variables, prefer short-lived cloud credentials, and run builds on ephemeral or freshly cleaned runners. Build, scan, sign, publish and deploy permissions should be separated so that a compromised scanner cannot inherit full release authority.
Aqua has said there is no indication its commercial products were affected, citing architectural isolation from the compromised open-source GitHub environment. The affected scope centered on open-source Trivy components and related distribution paths.
The broader impact of CVE-2026-33634 is its warning to every engineering organization: a security control is still software, and software in the build pipeline is part of the production attack surface. In modern software delivery, a trusted scanner can become a credential theft engine if its release chain is compromised. For defenders, the priority is no longer just scanning for vulnerabilities. It is securing the scanners, actions, tokens and automation that decide what reaches production.
