TL;DR: The Trivy supply chain attack used compromised credentials, mutable version tags, and incomplete rotation to publish malicious releases and persist across open-source automation, showing how CI/CD trust assumptions can be abused when identity controls lag behind release workflows, according to Aqua Security. Mutable tags and residual access turn repository automation into a credentialed attack surface, not just a software delivery problem.
NHIMG editorial — based on content published by Aqua Security covering the Trivy supply chain attack: ongoing investigation and continued remediation
By the numbers:
- The attacker force-pushed 76 of 77 version tags in the aquasecurity/trivy-action repository.
- The malicious Trivy release was published between approximately 18:22 UTC and 21:42 UTC on March 19, 2026.
Questions worth separating out
Q: What breaks when CI/CD pipelines trust mutable version tags?
A: Mutable tags break the assumption that a release reference always points to the same code.
Q: Why do incomplete credential rotations keep supply chain incidents alive?
A: Incomplete rotation keeps incidents alive because one surviving token, bot account, or secret can preserve attacker access after the first response.
Q: How should teams govern service accounts that can publish software?
A: Teams should restrict service accounts that can publish software to the narrowest possible scope and separate them from workflow administration.
Practitioner guidance
- Pin pipelines to immutable artifacts Require commits, digests, or signed provenance instead of mutable version tags for every build and release dependency.
- Revoke every residual access path Treat containment as incomplete until every token, service account, workflow secret, and integration credential has been inventoried and invalidated.
- Separate publish authority from workflow control Limit bot accounts so they cannot both trigger releases and modify repository automation or workflow files.
What's in the full article
Aqua Security's full research covers the operational detail this post intentionally leaves for the source:
- The full attack timeline with repository-level indicators of compromise and the sequence of tag poisoning events.
- The detailed Trivy and trivy-action remediation guidance, including how to audit affected consumers of mutable tags.
- The malicious release and workflow indicators that defenders can use to confirm exposure in their own environments.
- The environment isolation notes that distinguish the open-source incident from Aqua's commercial platform.
👉 Read Aqua Security's analysis of the Trivy supply chain attack and tag poisoning →
Trivy tag poisoning in CI/CD pipelines: what IAM teams missed?
Explore further
Mutable release references are an identity problem, not just a DevOps convenience. This incident shows that version tags behave like credentials when pipelines trust them more than content integrity. Once an attacker can rewrite those references, the release system itself becomes a credentialed attack surface. The practitioner takeaway is that tag trust must be governed with the same discipline as any other privileged identity.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
A question worth separating out:
Q: Who is accountable when a release automation identity is abused?
A: Accountability sits with the teams that own the identity lifecycle, the release process, and the downstream systems that trust the artifacts. Security, platform engineering, and software owners all share responsibility for revocation, provenance, and consumer validation. If mutable references remain accepted, the governance gap is organizational as well as technical.
👉 Read our full editorial: Trivy supply chain attack exposes CI/CD tag poisoning risks