Hackers have compromised Aqua Security's Trivy vulnerability scanner in a sophisticated supply chain attack. The attack began Thursday when threat actors used stolen credentials to force-push malicious dependencies to nearly all versions of the popular tool, which has 33,200 GitHub stars and is widely used to detect vulnerabilities and secrets in software development pipelines.

Security experts confirm that compromised tags include widely used versions like @0.34.2, @0.33, and @0.18.0. Only @0.35.0 remains unaffected. The malware, identified by Socket and Wiz, thoroughly scans development environments for credentials and secrets, then encrypts and exfiltrates them to attacker-controlled servers. Any CI/CD pipeline using these compromised tags executes malicious code during scans.

Trivy maintainer Itay Shakury advises developers to assume their pipelines are compromised and rotate all secrets immediately. The attack demonstrates the growing risk of supply chain compromises targeting development tools that organizations must now assess whether their security protocols can detect such sophisticated attacks before they compromise entire development ecosystems.