Aqua Security's Trivy, one of the most widely used vulnerability scanners, got hit with a supply chain attack on March 19, 2026. Attackers injected credential-harvesting malware into the v0.69.4 release binary. The malware ran silently alongside normal scans, scooping up API keys from environment variables and sending them to an attacker-controlled server. Nobody noticed. The scans passed. Teams saw zero vulnerabilities flagged while their credentials walked out the door.
The attack exploited mutable Git tags and self-declared commit identities, as Microsoft confirmed in their March 24 writeup. Both trivy-action and setup-trivy GitHub Actions were compromised, meaning millions of CI/CD pipelines ran malicious code. The breach exposed a hard truth about secrets management: every major tool on the market, including HashiCorp Vault, AWS Secrets Manager, Doppler, and Infisical, protects your keys at rest but dumps them as plaintext environment variables at runtime. Once that plaintext key's in your environment, any tool can read it. Including a compromised Trivy binary.
Rial_Labs, who analyzed the attack for VaultProof, argues that split-key architecture addresses this gap. VaultProof divides API keys into cryptographic shares distributed across separate storage locations, so the full key never exists in the CI/CD environment. When an API call's needed, a proxy reconstructs the key in memory for milliseconds, then zeroes it out. The underlying problem is real and growing. The North Korean-linked Sapphire Sleet used similar tactics in a concurrent npm package attack, confirming supply chain credential harvesting is now a repeatable play in the threat actor playbook.