"Following the initial disclosure on March 1, credential rotation was performed, but was not atomic (not all credentials were revoked simultaneously). The attacker could have used a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days)."
"The attackers used the compromised credentials to push a malicious Trivy release (version v0.69.4) that was distributed across all regular channels, including GitHub Container Registry, Amazon ECR Public, and Docker Hub."
"They also force-pushed 76 of 77 trivy-action version tags to malicious commits, leading to infections with an information stealer designed to dump the Runner.Worker process memory and extract all secrets from it."
"The malware was also designed to encrypt the harvested data and send it to a remote server. If the exfiltration failed, it created a public GitHub repository and uploaded the data to it."
Aqua Security's Trivy vulnerability scanner was compromised in a supply chain attack that began in late February. The attack involved a GitHub Actions workflow issue, resulting in the deletion of some releases and the publication of malicious VS Code extensions. Compromised credentials were later used in a new attack targeting Trivy and its related packages. Attackers pushed a malicious Trivy release and infected version tags with malware designed to exfiltrate secrets. The malware encrypted data and attempted to send it to a remote server or upload it to a public GitHub repository.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]