Trivy supply‑chain compromise stole plaintext API keys — and your secrets manager couldn’t stop it

April 9, 2026
aisecuritybusinessopen-source
Harvard Law School degree with handshake representing achievement and professional agreement.
Photo by Pavel Danilyuk on Pexels

What happened

On March 19, 2026, Aqua Security’s Trivy scanner was hit by a supply‑chain compromise that injected credential‑harvesting logic into the official v0.69.4 release binary, it has been reported that. The malicious code ran alongside legitimate scans — results looked normal — while the payload quietly pulled secrets out of CI/CD environments. Both trivy-action and setup-trivy GitHub Actions were targeted via mutable Git tags and self‑declared commit identity, and it has been reported that millions of pipelines may have executed the tainted code. Microsoft’s security blog and an Aqua advisory provided the initial public details; independent attribution remains limited.

Why your secrets manager didn’t help

Here’s the bitter truth: most secrets managers do exactly what they promise — they protect keys at rest — but they hand you a plaintext secret when your job runs. The Trivy payload simply read environment variables and exfiltrated API keys to a command‑and‑control server, it has been reported that. If a credential exists as plaintext during runtime, a compromised tool can find it. No magic, no zero‑day in Trivy required — just a userland process that was granted the same runtime privileges as your scanner.

Can anything stop this class of attack?

Yes — but you have to change the threat model. VaultProof claims a split‑key architecture that never exposes the full API key in the runtime environment: keys are divided into cryptographic shares stored separately; a proxy reconstructs the key in memory only for milliseconds to perform the API call, then zeroes it. It has been reported that this approach would leave nothing useful for a scanner‑level exfiltrator to steal. Sounds neat. But caveat emptor: vendor claims deserve independent validation, and operational complexity and latency trade‑offs matter.

What to do next

Supply‑chain attacks are not a one‑off — think SolarWinds and the wave that followed — and this incident sharpens a simple lesson: if attackers can run code in your CI/CD, anything in plaintext is fair game. Short term: rotate exposed credentials, tighten action provenance (pin digests, avoid mutable tags), and monitor egress. Longer term: consider architectures that minimize or eliminate full plaintext keys in runtime — whether via ephemeral credentials, hardware-backed signing, or split‑key schemes — and demand third‑party audits before betting your pipeline’s trust on a single vendor claim.

Sources: vaultproof.dev, Hacker News