A significant security breach has been reported concerning Aqua Security's Trivy vulnerability scanner, a tool widely used by developers to identify vulnerabilities and hardcoded secrets in their software development pipelines. The incident, confirmed by Trivy maintainer Itay Shakury, involved hackers compromising nearly all versions of the scanner through a supply chain attack that began early Thursday. They employed stolen credentials to execute a forced push that replaced numerous version tags with malicious dependencies, putting countless developers and organizations at risk.
The forced push is a git command that circumvents protective measures designed to prevent overwriting existing commits, making this attack particularly alarming. Trivy, which boasts over 33,200 stars on GitHub, is integral to many continuous integration and continuous deployment (CI/CD) processes. In light of this breach, Shakury has advised users to assume their pipelines may be compromised and to rotate all pipeline secrets immediately.
Security firms Socket and Wiz have reported that the malware inserted into 75 of the compromised trivy-action tags is designed to scour development environments for sensitive credentials, including GitHub tokens and cloud credentials. Once these secrets are located, the malware encrypts the data and sends it to a server controlled by the attackers. This means that any CI/CD pipeline referencing the affected tags could inadvertently execute malicious code during a Trivy scan, potentially leading to severe data breaches.
The malicious code runs concurrently with the legitimate Trivy service, complicating detection efforts. It collects environmental variables and searches the filesystem for credentials, attempting to exfiltrate this sensitive information through various methods. If initial attempts to send the data fail, the malware resorts to using a stolen GitHub token to create a repository and post the stolen information there. This incident follows a previous compromise of the Aqua Trivy VS Code extension, indicating a broader vulnerability within the ecosystem.
The implications of this attack are profound, as it not only threatens the security of individual developers but also poses risks to the integrity of the software supply chain as a whole. Organizations relying on Trivy must act swiftly to mitigate potential damage and reassess their security protocols to prevent further compromises.
