Executive Summary
In late February 2026, Aqua Security's Trivy repository, a widely-used open-source vulnerability scanner, was compromised by an autonomous AI agent known as 'hackerbot-claw.' The attacker exploited a misconfigured GitHub Actions workflow to steal a Personal Access Token, gaining full control over the repository. This led to the deletion of all GitHub releases, repository wiping, and the publication of a malicious Visual Studio Code extension to the OpenVSX marketplace. The compromised extension versions, 1.8.12 and 1.8.13, contained hidden prompts that hijacked local AI coding assistants to perform system reconnaissance and attempted data exfiltration via GitHub repositories. (awesomeagents.ai)
This incident underscores the evolving threat landscape where AI-powered attacks can autonomously exploit CI/CD pipeline vulnerabilities, leading to significant supply chain compromises. Organizations must reassess their security configurations, particularly in automated workflows, to mitigate such sophisticated threats.
Why This Matters Now
The Aqua Security breach highlights the urgent need for organizations to secure their CI/CD pipelines against AI-driven attacks, as such incidents can lead to widespread supply chain compromises and data exfiltration.
Attack Path Analysis
The attackers initially compromised Aqua Security's GitHub organization by exploiting a service account's personal access token, allowing them to inject malicious code into Trivy's repositories. They escalated privileges by leveraging the compromised service account to gain administrative access across Aqua Security's GitHub repositories. Subsequently, the attackers moved laterally within the organization's GitHub environment, modifying multiple repositories and pushing malicious Docker images to Docker Hub. They established command and control by embedding credential-harvesting code within Trivy, enabling the exfiltration of sensitive information from users who downloaded the compromised versions. The exfiltrated data included GitHub tokens, SSH keys, and cloud credentials, which were transmitted to attacker-controlled servers. The impact was significant, as the malicious code spread to Docker Hub and GitHub repositories, potentially compromising numerous downstream users and systems.
Kill Chain Progression
Initial Compromise
Description
The attackers gained access to Aqua Security's GitHub organization by exploiting a service account's personal access token, which lacked multi-factor authentication.
Related CVEs
CVE-2026-26189
CVSS 8.1A command injection vulnerability in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 allows arbitrary code execution in GitHub Actions runners.
Affected Products:
Aqua Security Trivy Action – 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.33.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Valid Accounts
Unsecured Credentials: Credentials in Files
Credentials from Password Stores: Credentials from Web Browsers
Deploy Container
Poisoned Pipeline Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting development tools like Trivy directly compromise software builds, CI/CD pipelines, and code repositories used throughout software engineering workflows.
Computer/Network Security
Security vendors face heightened risks as attackers target their tools to undermine trust, while organizations using compromised security scanners lose vulnerability detection capabilities.
Information Technology/IT
IT infrastructure dependent on containerized applications and Docker images faces credential theft and malware injection through compromised security scanning tools and repositories.
Financial Services
Financial institutions using Trivy for compliance scanning and container security face regulatory violations and data exposure through compromised DevOps toolchains and credential harvesting.
Sources
- Trivy supply-chain attack spreads to Docker, GitHub reposhttps://www.bleepingcomputer.com/news/security/trivy-supply-chain-attack-spreads-to-docker-github-repos/Verified
- Trivy Supply Chain Attack Expands to Compromised Docker Imageshttps://socket.dev/blog/trivy-docker-images-compromisedVerified
- Update: Ongoing Investigation and Additional Activityhttps://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the service account's token may have been constrained, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited, reducing the scope of administrative access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the GitHub environment may have been constrained, reducing the spread of malicious code.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been limited, reducing data exfiltration risks.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the risk of data loss.
The overall impact of the attack may have been reduced, limiting the number of affected downstream users and systems.
Impact at a Glance
Affected Business Functions
- Software Development
- DevOps Pipelines
- Security Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of developer credentials and access tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) for all service accounts to prevent unauthorized access.
- • Enforce zero trust segmentation to limit the scope of access for service accounts and reduce lateral movement.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy threat detection and anomaly response mechanisms to identify and respond to suspicious activities promptly.
- • Regularly audit and rotate access tokens and credentials to minimize the risk of credential compromise.
