How the Trivy supply chain attack harvested credentials from secrets managers

Summary

What happened The anatomy of the attack On March 19, 2026, Aqua Security's Trivy — one of the most widely used vulnerability scanners in the world — was compromised. Attackers injected credential-harvesting logic directly into the official release binary. The payload was sophisticated: scans appeared to complete and pass normally. The credential exfiltration ran silently alongside legitimate functionality. Teams had no indication anything was wrong. The attack didn't need to find a vulnerability in your code. It exploited the fact that your CI/CD pipeline runs tools with access to your environment — and your API keys live in that environment as plaintext strings. This is the supply chain attack model that makes traditional secrets management insufficient: if the key exists as a plaintext string anywhere in your runtime environment, a compromised tool can find and exfiltrate it. ENTRY POINT Attacker compromises Trivy release Exploits mutable Git tags and self-declared commit identity to inject malware into official v0.69.4 release binary. PROPAGATION GitHub Actions pick up the payload Both trivy-action and setup-trivy GitHub Actions are simultaneously compromised. Millions of CI/CD pipelines now run malicious code. EXFILTRATION Credentials harvested from runtime environment The malicious payload accesses plaintext API keys from environment variables — exactly where every secrets manager places them after retrieval. Keys sent to attacker C2 server. WHERE VAULTPROOF BREAKS THE CHAIN No plaintext key exists to steal With VaultProof, the full API key never exists in the CI/CD environment. Only cryptographic shares are present — individually useless to an attacker. Nothing to harvest. The blind spot Why your secretsmanager didn't help Every secrets manager available in March 2026 — Vault, AWS Secrets Manager, Doppler, Infisical — follows the same retrieval model. You store the key encrypted. Your CI/CD pipeline retrieves it via API at runtime. The key becomes a plaintext ...