"If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately."
"The malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines for GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens."
"The end result is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run."
Aqua Security's Trivy vulnerability scanner has been compromised in a supply chain attack, affecting nearly all versions except @0.35.0. The attack involved stolen credentials that allowed the threat actor to push malicious dependencies to the scanner's tags. Developers are advised to treat all pipeline secrets as compromised and rotate them immediately. The malware can search for sensitive information in development pipelines and encrypt it for transmission to an attacker-controlled server. This incident poses significant risks to CI/CD pipelines using the affected software.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]