"The breach centered around a malicious release (v0.69.4) published on March 19, 2026, which contained code designed to exfiltrate sensitive data to an attacker-controlled domain."
"Security researchers noted that the attack leveraged compromised credentials and manipulated automated release processes, highlighting how trusted pipelines themselves can become attack vectors."
"Evidence suggests the attacker had prior access to repository credentials, enabling them to publish malicious artifacts and interfere with incident response efforts."
"This meant that organizations running automated pipelines could unknowingly install and execute the malicious version, underscoring the cascading impact of compromised developer tooling in modern software ecosystems."
A security incident involving the Trivy vulnerability scanner revealed a malicious release that exposed significant weaknesses in software supply chain security. The compromised version, published on March 19, 2026, was designed to exfiltrate sensitive data. Attackers exploited compromised credentials to publish this version through normal distribution channels. The incident highlights how trusted tools can become attack vectors, with potential impacts on automated pipelines and related tooling. In response, maintainers removed the malicious release and revoked compromised credentials.
#security-incident #software-supply-chain #vulnerability-scanner #malicious-release #credential-theft
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]