Aquasecurity/Trivy GitHub Repository and Homebrew Cask Compromised (again) (opensourcemalware.com) 16 points by mmsc 3mo ago ↗ HN
[–] mmsc 3mo ago ↗ The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
[–] man8alexd 3mo ago ↗ More details here: https://www.stepsecurity.io/blog/trivy-compromised-a-second-...Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420
[–] jl6 3mo ago ↗ Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?
4 comments
[ 2.9 ms ] story [ 24.9 ms ] threadAny system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420