Hackers have compromised just about all variations of Aqua Safety’s broadly used Trivy vulnerability scanner in an ongoing provide chain assault that might have wide-ranging penalties for builders and the organizations that use them.
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The assault started within the early hours of Thursday. When it was carried out, the risk actor had used stolen credentials to force-push all however one of many trivy-action tags and 7 setup-trivy tags to make use of malicious dependencies.
Assume your pipelines are compromised
A compelled push is a git command that overrides a default security mechanism that protects towards overwriting present commits. Trivy is a vulnerability scanner that builders use to detect vulnerabilities and inadvertently hardcoded authentication secrets and techniques in pipelines for creating and deploying software program updates. The scanner has 33,200 stars on GitHub, a excessive ranking that signifies it’s used broadly.
“For those who suspect you had been working a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury wrote.
Safety corporations Socket and Wiz mentioned that the malware, triggered in 75 compromised trivy-action tags, causes customized malware to totally scour improvement pipelines, together with developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and no matter different secrets and techniques could dwell there. As soon as discovered, the malware encrypts the information and sends it to an attacker-controlled server.
The tip consequence, Socket mentioned, is that any CI/CD pipeline utilizing software program that references compromised model tags executes code as quickly because the Trivy scan is run. Spoofed model tags embody the broadly used @0.34.2, @0.33, and @0.18.0. Model @0.35.0 seems to be the one one unaffected.
