Trivy tag poisoning in CI/CD pipelines: what IAM teams missed

TL;DR: The Trivy supply chain attack used compromised credentials, mutable version tags, and incomplete rotation to publish malicious releases and persist across open-source automation, showing how CI/CD trust assumptions can be abused when identity controls lag behind release workflows, according to Aqua Security. Mutable tags and residual access turn repository automation into a credentialed attack surface, not just a software delivery problem.

NHIMG editorial — based on content published by Aqua Security covering the Trivy supply chain attack: ongoing investigation and continued remediation

By the numbers:

• The attacker force-pushed 76 of 77 version tags in the aquasecurity/trivy-action repository.
• The malicious Trivy release was published between approximately 18:22 UTC and 21:42 UTC on March 19, 2026.

Questions worth separating out

Q: What breaks when CI/CD pipelines trust mutable version tags?

A: Mutable tags break the assumption that a release reference always points to the same code.

Q: Why do incomplete credential rotations keep supply chain incidents alive?

A: Incomplete rotation keeps incidents alive because one surviving token, bot account, or secret can preserve attacker access after the first response.

Q: How should teams govern service accounts that can publish software?

A: Teams should restrict service accounts that can publish software to the narrowest possible scope and separate them from workflow administration.

Practitioner guidance

• Pin pipelines to immutable artifacts Require commits, digests, or signed provenance instead of mutable version tags for every build and release dependency.
• Revoke every residual access path Treat containment as incomplete until every token, service account, workflow secret, and integration credential has been inventoried and invalidated.
• Separate publish authority from workflow control Limit bot accounts so they cannot both trigger releases and modify repository automation or workflow files.

What's in the full article

Aqua Security's full research covers the operational detail this post intentionally leaves for the source:

• The full attack timeline with repository-level indicators of compromise and the sequence of tag poisoning events.
• The detailed Trivy and trivy-action remediation guidance, including how to audit affected consumers of mutable tags.
• The malicious release and workflow indicators that defenders can use to confirm exposure in their own environments.
• The environment isolation notes that distinguish the open-source incident from Aqua's commercial platform.

👉 Read Aqua Security's analysis of the Trivy supply chain attack and tag poisoning →

Trivy tag poisoning in CI/CD pipelines: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →