TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io
May 25, 2026
AntV npm Packages Compromised via Hijacked Maintainer Account
May 19, 2026
CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables Unauthenticated Code Execution
May 13, 2026
TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Supply Chain SecurityMarch 23, 20265 min read

When the security scanner becomes the attack path: lessons from the Trivy compromise

A short practical look at the recent Trivy compromise, how malicious container images expanded the blast radius, and what security teams should do next.

Security teams ask developers to scan everything. Dependencies, containers, infrastructure, CI pipelines.

That advice is still right. But the recent Trivy compromise is a reminder that we also need to ask a harder question:

What happens when the tool doing the scanning becomes the attack path?

That is what made this incident important.

What happened

The attack appears to have started with a compromise involving Trivy's GitHub Actions workflow. That was already serious because many teams run Trivy automatically in CI/CD.

Then the impact expanded.

Malicious Trivy container images were reportedly pushed to Docker Hub, including:

  • 0.69.4
  • 0.69.5
  • 0.69.6

This widened the blast radius. The risk was no longer limited to teams using one GitHub Action path. It also affected teams pulling Trivy images directly in CI jobs, local environments, or automated security workflows.

If those environments had access to secrets, registries, cloud credentials, or clusters, the impact could be much bigger than a bad scan.

Why this matters

Trivy is often run in the most sensitive places in the delivery pipeline. CI runners, registries, source repos, cloud accounts, and Kubernetes environments.

That means a compromised scanner can become a path to secret theft, infrastructure access, or release pipeline tampering.

This is the uncomfortable lesson from incidents like this: modern supply chain security is not only about scanning untrusted code. It is also about validating the tools that do the scanning.

What teams should do right now

If your team used Trivy recently, the safest move is to investigate.

Start with the basics:

  • Stop using 0.69.4, 0.69.5, and 0.69.6
  • Use 0.69.3 as the last publicly reported known good version until trusted guidance says otherwise
  • Audit recent CI runs that pulled Trivy images or used the affected GitHub Action path
  • Rotate any credentials the scanner could access
  • Review registry, cloud, and Kubernetes activity for anything unusual

The key point is simple: if Trivy ran in an environment with secrets, treat those secrets as potentially exposed.

The bigger lesson

Many security programs still focus mostly on what is inside the build: packages, CVEs, licenses, base images.

That still matters. But incidents like this show that we also need to understand what actually ran during the build, with what permissions, and from where.

A trusted tool can become untrusted very quickly if it is pulled by mutable tag, granted broad access, or executed without guardrails.

That is why teams should be stricter about:

  • Pinning GitHub Actions to commit SHAs
  • Pinning container images to immutable digests
  • Limiting permissions for scanners
  • Isolating scanning jobs where possible
  • Treating security tools as privileged software in the threat model

Final thought

The Trivy incident is not a reason to stop scanning.

It is a reason to be more careful about how we trust the tools inside CI/CD.

If a security tool runs in your pipeline, it should be treated like any other high-privilege software. It needs version control, least privilege, and real oversight.

And once something like this happens, one of the first questions teams ask is: what is the blast radius?

Which repos used the affected image? Which workflows pulled it? Which secrets were exposed? Which downstream artifacts or environments could have been touched?

That is exactly where visibility matters. In Prismor, this is the kind of impact teams can quickly reason about through the inventory view: where a package, container, action, or workflow exists across the estate, what it connects to, and how far trust or exposure can spread.

At Prismor, we think this is where developer security is heading next: not only understanding what is in the software, but understanding what ran to produce it, what it could access, and how quickly you can map the blast radius when trust breaks.