Hackers Poison Trivy Scanner Tags to Steal Credentials from 10,000+ CI/CD Pipelines

Cybercriminals hijack Trivy GitHub Action, infecting CI/CD pipelines with malware; over 10,000 workflows at risk. Secure your operations now!

By Content Team

Mar 22, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybercriminals compromised the popular Trivy GitHub Action by force-pushing malicious code to 75 out of 76 existing version tags, turning trusted references into malware distribution points. The attack targets CI/CD pipelines globally, with over 10,000 GitHub workflows at risk.

The sophisticated infostealer dumps memory from GitHub runners, scrapes filesystems for SSH keys and database credentials, then encrypts stolen data with AES-256 before exfiltrating it. The malware even creates fake repositories using victims' own GitHub tokens as backup exfiltration channels.

Only version @0.35.0 remains safe. Organizations must immediately stop using version tags and pin to the secure commit SHA instead.

Source: Cyber Security News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

MongoDB's 'Mongobleed' Vulnerability Actively Exploited, 87,000 Servers at Risk

Jan 2, 2026

DarkSword iPhone Exploit Targets iOS 18

Mar 19, 2026

Critical GNU Wget2 Vulnerability Lets Attackers Overwrite System Files

Jan 5, 2026

Frustrated Researcher Leaks Windows Zero-Day Exploit After Microsoft Response Issues

Apr 10, 2026