This attack seems predicated on a prior security incident (https://socket.dev/blog/unauthorized-ai-agent-execution-code...) at Trivy where they failed to successfully remediate and contain the damage. I think at this time, Trivy should’ve undertaken a full reassessment of risks and clearly isolated credentials and reduced risk systemically. This did not happen, and the second compromise occurred.
I don’t think “briefly compromised” is accurate. The short span between this and the previous compromise of trivy suggests that the attacker was able to persist between their two periods of activity.
To be clear, this is a supply chain attack on everyone that uses Trivy, not a supply chain attack on Trivy. It was a direct attack on Trivy, exploiting components that Aqua had full control and responsibility for. The term “supply chain attack” has a connotation of “it’s not really my fault, it was my dependencies that got compromised”.
Of course, every entity is ultimately accountable for its own security, including assigning a level of trust to any dependencies, so it’s ultimately no excuse, but getting hit by a supply chain attack does evoke a little more sympathy (“at least I did my bit right”), and I feel like the ambiguous wording of the title is trying to access some of that sympathy.
A supply chain attack is an attack on a provider of a solution that is then deployed further. The issue with a supply chain attack is that the ultimate victim brings in trusted software that was compromised upstream.
The Go binary was also compromised, but there's almost no information what the compromised binary did. Did it drop a python script? Did it do direct scanning?
If trivy docker image was used, what's the scope (it does not include python).
This is a very old vulnerability, and to see companies falling for it is mental.
The year is 2026 and companies are still using tag over hash. It is well known that you can release different code under the same tag without alerting users.
21 comments
[ 2.7 ms ] story [ 48.6 ms ] threadI only clicked on a handful of accounts but several of them have plausibly real looking profiles.
"Trivy Supply Chain Attack Spreads, Triggers Self-Spreading CanisterWorm Across 47 npm Packages"
https://it.slashdot.org/story/26/03/22/0039257/trivy-supply-...
Of course, every entity is ultimately accountable for its own security, including assigning a level of trust to any dependencies, so it’s ultimately no excuse, but getting hit by a supply chain attack does evoke a little more sympathy (“at least I did my bit right”), and I feel like the ambiguous wording of the title is trying to access some of that sympathy.
In my experience that is definitely not true, and I've never heard anyone use it that way. Even though you are correct in who the target was.
How do you simultaneously revoke all credentials of all your accounts spanning multiple services/machines/users?
Disclosure: I’m the founder of Socket.
The Go binary was also compromised, but there's almost no information what the compromised binary did. Did it drop a python script? Did it do direct scanning?
If trivy docker image was used, what's the scope (it does not include python).
https://www.aquasec.com/blog/trivy-supply-chain-attack-what-...
This is a very old vulnerability, and to see companies falling for it is mental.
The year is 2026 and companies are still using tag over hash. It is well known that you can release different code under the same tag without alerting users.