CVE-2026-33634 Overview
CVE-2026-33634 represents a critical supply chain attack targeting Trivy, a widely-used security scanner in DevSecOps environments. On March 19, 2026, a threat actor leveraged compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. This incident is a continuation of a supply chain attack that began in late February 2026, exploiting a non-atomic credential rotation that allowed attackers to retain access during a multi-day rotation window.
Critical Impact
This supply chain compromise enables attackers to steal credentials and secrets from CI/CD pipelines running compromised Trivy versions, potentially compromising downstream software supply chains at scale.
Affected Products
- aquasec trivy version 0.69.4 (Go / Container image)
- aquasec trivy_action versions 0.0.1 – 0.34.2 (76/77 versions affected)
- aquasec setup-trivy versions 0.2.0 – 0.2.6 (prior to safe 0.2.6 recreation)
Discovery Timeline
- 2026-03-19 - Malicious Trivy v0.69.4 release published via compromised credentials
- 2026-03-23 - CVE CVE-2026-33634 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33634
Vulnerability Analysis
This vulnerability is classified under CWE-506 (Embedded Malicious Code), representing a sophisticated supply chain attack rather than a traditional software vulnerability. The attack exploited weaknesses in the credential rotation process following an earlier incident in late February 2026. Because the rotation was not atomic—meaning not all credentials were revoked simultaneously—the attacker could have used a still-valid token to exfiltrate newly rotated secrets during the rotation window, which lasted several days.
The malicious code injected into the compromised components was designed to steal credentials and secrets accessible to CI/CD pipelines. The attack targeted multiple distribution points simultaneously: the Trivy binary/container image, the trivy-action GitHub Action, and the setup-trivy GitHub Action. This multi-vector approach maximized the attack surface and the potential for credential theft across organizations using any of these components.
Root Cause
The root cause of this vulnerability stems from insufficient security controls during a credential rotation process. Following the initial disclosure on March 1, 2026, credential rotation was performed but was not atomic. During the multi-day rotation window, the attacker retained access through a valid token that had not yet been revoked. This allowed the threat actor to exfiltrate newly rotated secrets and execute the March 19 attack, demonstrating how incomplete incident response can lead to persistent compromise.
Attack Vector
The attack vector is network-based, targeting development pipelines that pull and execute Trivy components from GitHub and container registries. Organizations referencing mutable version tags rather than immutable commit SHAs were particularly vulnerable, as the force-pushed malicious commits automatically propagated to their workflows.
The malicious code implemented credential exfiltration through multiple mechanisms. A fallback mechanism created repositories named tpcp-docs in the victim's GitHub organization when primary exfiltration channels failed. The presence of such a repository indicates that secrets were successfully stolen and must be treated as fully compromised.
Detection Methods for CVE-2026-33634
Indicators of Compromise
- Presence of repositories named tpcp-docs in GitHub organizations indicates successful secret exfiltration
- Execution of Trivy version 0.69.4 from any source (container registries, Go modules)
- Workflow runs using aquasecurity/trivy-action or aquasecurity/setup-trivy between March 19–20, 2026 with mutable version tags
- Unexpected outbound network connections from CI/CD runners during Trivy execution
Detection Strategies
- Review all workflow run logs from March 19–20, 2026 for signs of compromise in pipelines using affected GitHub Actions
- Search organization repositories for any named tpcp-docs which indicates triggered fallback exfiltration
- Audit container image pulls and Go module downloads for Trivy v0.69.4
- Implement file integrity monitoring for GitHub Action dependencies to detect unauthorized tag modifications
Monitoring Recommendations
- Enable comprehensive logging for all CI/CD pipeline executions with particular attention to secret access patterns
- Monitor for creation of unexpected repositories in GitHub organizations
- Implement alerting on GitHub Action version tag changes that don't correlate with expected releases
- Track network egress from CI/CD environments for unusual destinations or data transfer volumes
How to Mitigate CVE-2026-33634
Immediate Actions Required
- Rotate all secrets accessible to affected pipelines immediately if any compromised version ran in your environment
- Remove any affected artifacts (Trivy v0.69.4, compromised action versions) from your environment
- Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy for compromise
- Pin all GitHub Actions to full, immutable commit SHA hashes instead of mutable version tags
Patch Information
Known safe versions that should be used as replacements include:
- Trivy binary: Versions 0.69.2 and 0.69.3
- trivy-action: Version 0.35.0
- setup-trivy: Version 0.2.6 (recreated with safe commit)
For detailed remediation guidance, refer to the GitHub Security Advisory for GHSA-69fq-xp46-6x23 and the Trivy Discussions. Additional context on detection and defense is available in the Microsoft Security Blog.
Workarounds
- Pin all GitHub Actions to full commit SHA hashes (e.g., uses: aquasecurity/trivy-action@abc123def456...) instead of version tags
- Implement GitHub Action pinning policies using tools like Dependabot or renovate with commit SHA requirements
- Consider self-hosting critical security tools rather than relying on external action repositories
- Implement network egress controls for CI/CD environments to limit credential exfiltration paths
- Enable secret scanning to detect any exposed credentials that may have been exfiltrated
# Example: Pin GitHub Action to immutable commit SHA instead of version tag
# UNSAFE (mutable tag):
# uses: aquasecurity/trivy-action@v0.34.2
# SAFE (immutable SHA - verify correct SHA from official source):
# uses: aquasecurity/trivy-action@<full-40-character-commit-sha>
# Verify safe version before pinning:
git ls-remote --tags https://github.com/aquasecurity/trivy-action.git | grep v0.35.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
