Trivy Supply Chain Compromise: Defender Guidance

Introduction

Microsoft has released new guidance on the March 2026 Trivy supply chain compromise, a significant attack against one of the most widely used open-source vulnerability scanners. For security and DevOps teams, this is a reminder that trusted CI/CD components can become an attack path when release pipelines, tags, or credentials are abused.

What happened

On March 19, 2026, attackers reportedly used previously retained access to compromise multiple official Trivy distribution channels:

• Malicious Trivy binary published: Trivy v0.69.4 was released with credential-stealing malware.
• GitHub Actions tags were force-pushed: Attackers reassigned trusted tags in trivy-action and setup-trivy to malicious commits.
• Stealthy execution: The malware harvested secrets, exfiltrated data, then ran the legitimate Trivy scan so workflows appeared successful.
• Broader campaign indicators: Microsoft says the activity has expanded beyond Trivy to include Checkmarx KICS and LiteLLM.

Why this attack is notable

Microsoft highlights two Git/GitHub behaviors that were abused:

• Mutable tags: Existing version tags can be repointed to different commits if an attacker has sufficient access.
• Spoofed commit identity: Threat actors used misleading commit identity information to blend in.

This made the compromise difficult to spot because many pipelines referenced actions by tag name, not pinned commit SHA.

What the malware targeted

According to Microsoft Defender for Cloud observations, the payload targeted:

• Cloud credentials from AWS, Azure, and GCP
• Kubernetes service-account tokens and cluster secrets
• CI/CD environment variables and internal runner files
• API keys, webhook URLs, database connection strings, VPN configs, and SSH logs

The stolen data was encrypted and exfiltrated to a typosquatted domain before the legitimate scan completed.

Impact on IT and security teams

For administrators, the biggest concern is exposure in self-hosted GitHub Actions runners, build agents, and developer environments that executed affected Trivy components. Organizations using tag-based action references or unverified release artifacts may need to assume secrets were exposed and rotate them accordingly.

Microsoft says Defender products can help detect related behaviors, including:

• Access to cloud metadata services
• Kubernetes secret enumeration
• Suspicious DNS or outbound connections
• Potential exfiltration using common tools like curl

Recommended next steps

• Identify use of Trivy v0.69.4, trivy-action, and setup-trivy in CI/CD workflows.
• Pin GitHub Actions to commit SHA instead of mutable tags.
• Rotate exposed secrets for cloud accounts, Kubernetes, databases, and CI/CD platforms.
• Review self-hosted runner activity for suspicious process execution, metadata service access, and outbound traffic.
• Use Microsoft Defender XDR and Defender for Cloud to hunt for indicators and investigate affected assets.

This incident shows how supply chain attacks are increasingly focused on developer tooling. Security teams should treat CI/CD infrastructure as high-value production infrastructure and harden it accordingly.