al-ice.ai

Aqua Security Trivy Supply Chain Attack

Security by al-ice.ai Editorial

AI relevance: Trivy is a critical security scanning tool used in AI/ML pipelines to detect vulnerabilities in container images, dependencies, and infrastructure-as-code, making this supply chain compromise directly relevant to AI deployment security.

  • Threat actors TeamPCP/DeadCatx3 compromised the Trivy vulnerability scanner repository
  • Attackers injected infostealer malware into official releases and GitHub Actions
  • 75 of 76 version tags in aquasecurity/trivy-action repository were compromised
  • Malware scans for credentials (SSH keys, cloud tokens, database configs, crypto wallets)
  • Data exfiltrated to typosquatted C2 server (scan.aquasecurtiy[.]org)
  • Installs persistent systemd Python payloads on infected systems
  • Compromised version: Trivy v0.69.4

Why it matters

Trivy is widely deployed in AI/ML security pipelines to scan container images, dependencies, and infrastructure configurations. A compromised vulnerability scanner creates a paradox where the tool meant to secure AI deployments becomes an attack vector. This is particularly dangerous for AI teams who rely on automated security scanning as part of their CI/CD pipelines.

What to do

  • Check your Trivy version: Immediately verify if you're using v0.69.4 or compromised GitHub Actions
  • Rotate all credentials: Assume all credentials scanned by Trivy may be compromised
  • Audit your pipelines: Review CI/CD logs for suspicious Trivy activity
  • Use alternative scanners: Temporarily switch to Grype, Snyk, or other vulnerability scanners
  • Monitor network traffic: Look for connections to scan.aquasecurtiy[.]org or unusual outbound traffic
  • Verify checksums: Always verify binary checksums against official Aqua Security releases

Sources