Widely used Trivy scanner compromised in ongoing supply-chain attack
Summary
Ars Technica reports a widespread compromise of Aqua Security’s Trivy scanner via a supply-chain attack, forcing attackers to force-push malicious commits to multiple trivy-action and setup-trivy tags. The attack could enable stealthy theft of credentials from pipelines and developer machines, with 75 compromised tags pushing malicious code; the incident underscores the risk of dependencies and the need for rapid secret rotation and defense-in-depth.