Cybercriminals compromised the popular Trivy GitHub Action by force-pushing malicious code to 75 out of 76 existing version tags, turning trusted references into malware distribution points. The attack targets CI/CD pipelines globally, with over 10,000 GitHub workflows at risk.
The sophisticated infostealer dumps memory from GitHub runners, scrapes filesystems for SSH keys and database credentials, then encrypts stolen data with AES-256 before exfiltrating it. The malware even creates fake repositories using victims' own GitHub tokens as backup exfiltration channels.
Only version @0.35.0 remains safe. Organizations must immediately stop using version tags and pin to the secure commit SHA instead.
Source: Cyber Security News