Executive Summary
In late February 2026, Aqua Security's Trivy, a widely-used open-source vulnerability scanner, was compromised through its GitHub Actions workflows. An autonomous AI bot named 'hackerbot-claw' exploited vulnerabilities in Trivy's CI/CD pipeline, leading to unauthorized code execution and the exfiltration of sensitive CI/CD secrets. This breach resulted in the deletion of Trivy's GitHub repository content, disrupting numerous organizations relying on Trivy for security scanning. (medium.com)
This incident underscores the escalating threat of AI-driven supply chain attacks targeting CI/CD pipelines. The automation and adaptability demonstrated by 'hackerbot-claw' highlight the urgent need for enhanced security measures in development workflows to prevent similar breaches.
Why This Matters Now
The Trivy breach exemplifies the growing sophistication of AI-powered attacks on software supply chains, emphasizing the critical need for organizations to fortify their CI/CD pipelines against such advanced threats.
Attack Path Analysis
The adversary compromised Aqua Security's GitHub repositories by exploiting a previously stolen Personal Access Token (PAT), allowing them to force-push malicious code to 75 version tags of the 'aquasecurity/trivy-action' repository. This unauthorized access enabled the attacker to embed an infostealer payload within the GitHub Actions workflows, which, when executed in CI/CD pipelines, harvested sensitive secrets such as SSH keys, cloud service credentials, and Kubernetes tokens. The stolen data was then exfiltrated to an external server controlled by the attacker. The compromise led to unauthorized access to critical infrastructure and potential exposure of sensitive information across multiple organizations.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited a previously stolen Personal Access Token (PAT) to gain unauthorized access to Aqua Security's GitHub repositories.
Related CVEs
CVE-2026-26189
CVSS 8.1A command injection vulnerability in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 allows arbitrary code execution within GitHub Actions runners.
Affected Products:
Aqua Security Trivy Action – 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.33.1
Exploit Status:
exploited in the wildCVE-2026-28353
CVSS 10The Trivy VSCode Extension version 1.8.12 distributed via OpenVSX was compromised with malicious code designed to leverage local AI coding agents to collect and exfiltrate sensitive information.
Affected Products:
Aqua Security Trivy VSCode Extension – 1.8.12
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Poisoned Pipeline Execution
Compromise Software Supply Chain
Unsecured Credentials: Credentials in Files
Credentials from Web Browsers
Account Discovery: Domain Accounts
Command and Scripting Interpreter: Python
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Trivy GitHub Actions compromise exposes CI/CD pipelines to supply-chain attacks, threatening source code integrity and automated deployment processes across software development workflows.
Information Technology/IT
Hijacked vulnerability scanner tools create critical blind spots in security infrastructure, enabling malware delivery through trusted DevSecOps automation and container security processes.
Computer/Network Security
Compromised security scanning tools undermine zero trust architectures and threat detection capabilities, exposing encrypted traffic monitoring and egress security enforcement mechanisms.
Financial Services
Supply-chain attacks on CI/CD security tools threaten PCI compliance and encrypted transaction processing, compromising customer data protection in automated deployment environments.
Sources
- Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secretshttps://thehackernews.com/2026/03/trivy-security-scanner-github-actions.htmlVerified
- CVE-2026-26189 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-26189Verified
- CVE-2026-28353 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-28353Verified
- Trivy Action Command Injection Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2026-26189/Verified
- Trivy VSCode Extension Info Disclosurehttps://www.sentinelone.com/vulnerability-database/cve-2026-28353/Verified
- An AI Agent Just Pwned Trivy's 32K-Star Repo via GitHub Actionshttps://awesomeagents.ai/news/hackerbot-claw-trivy-github-actions-compromise/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to propagate malicious code and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized access to the GitHub repositories would likely have been limited, reducing the scope of the initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and modify repository content would likely have been constrained, reducing the impact of the malicious code injection.
Control: East-West Traffic Security
Mitigation: The spread of malicious code to CI/CD pipelines would likely have been limited, reducing the potential for widespread lateral movement.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels would likely have been detected and constrained, limiting the attacker's ability to exfiltrate data.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely have been constrained, reducing the volume of data the attacker could extract.
The overall impact of the breach would likely have been reduced, limiting unauthorized access and data exposure.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Version Control Systems
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of CI/CD secrets, including API keys and tokens, leading to unauthorized access to repositories and deployment pipelines.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access controls and limit the impact of compromised credentials.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unauthorized access and suspicious activities in real-time.
- • Utilize Multicloud Visibility & Control to monitor and manage security policies across all cloud environments, ensuring consistent enforcement.
- • Apply Egress Security & Policy Enforcement to restrict unauthorized data exfiltration and control outbound traffic.
- • Regularly audit and rotate access credentials, and implement strong authentication mechanisms to reduce the risk of credential compromise.
