A recent compromise of Aqua Security’s Trivy ecosystem provides a clear example of how CI/CD pipelines can be leveraged as an attack surface. Rather than targeting application code or infrastructure directly, the attacker operated within a trusted execution path, enabling credential access and exfiltration without disrupting normal pipeline behavior.

This incident reflects a broader shift toward supply chain attacks that exploit trust relationships in modern development workflows.

Initial Access and Manipulation of Trust

The attacker gained access to Trivy’s release and distribution mechanisms, including its GitHub Actions integrations such as trivy-action and setup-trivy. Instead of introducing new malicious versions, they modified existing version tags to point to attacker-controlled code. This detail is significant. CI/CD pipelines commonly reference version tags under the assumption that they are stable. By force-updating more than 75 tags, the attacker effectively replaced trusted code in place, without requiring any change in pipeline configuration.

In parallel, a compromised Trivy release (v0.69.4) was distributed through official channels, further reinforcing trust in the malicious artifacts.

Execution and Credential Access

The injected payload executed as part of the normal pipeline flow, prior to the legitimate scan. Its primary objective was to access and exfiltrate sensitive data from the CI runtime. The behavior focused on collecting credentials and tokens commonly available in CI environments, including cloud provider credentials, Kubernetes tokens, SSH keys, and other secrets exposed through environment variables or configuration files.

To achieve this, the payload accessed both memory and filesystem paths within the runner, including direct access to process memory (e.g., `/proc/<pid>/mem`) to extract sensitive data that is not exposed through standard environment variables, aggregated this data, and transmitted it externally.. Importantly, the pipeline execution completed successfully, with no visible errors or failures. This allowed the attack to operate without raising suspicion, even in environments with monitoring in place.

Observations on Attack Design

Three aspects of this attack are notable from a defensive perspective.

1. The attacker leveraged mutable version tags as a control point. This bypasses a widely held assumption in CI/CD workflows that version references are inherently trustworthy.
2. The attack operated entirely within the expected execution path of a legitimate tool. There was no need to introduce foreign binaries or trigger obvious anomalies in pipeline structure.
3. The payload prioritized stealth over disruption. By allowing pipelines to succeed, it avoided triggering failure-based alerts and reduced the likelihood of investigation.

Implications for Detection

This type of attack challenges conventional security approaches. During this attack, there were no vulnerable dependencies, no malicious commits in the application codebase, and no misconfigurations in the target environment. As a result, The attack falls into a blind spot for many traditional tools: it does not introduce externally identifiable malicious artifacts, does not modify application code, and executes through trusted pipeline configurations that were themselves compromised.

The only observable indicators were behavioral. These include unexpected access to secrets during a scan, deviations in process activity, and outbound network communication that does not align with the expected behavior of the scanning tool. Detecting these signals requires visibility into runtime activity rather than reliance on pre-execution analysis.

Observed Indicators of Compromise

The Trivy supply chain incident produced a consistent set of observable behavioral indicators.

Outbound network connections were established to two specific attacker-controlled endpoints. The first was scan.aquasecurtiy.org, a typosquatted domain deliberately misspelling "aquasecurity," resolving to an IP address in Amsterdam. The second was plug-tab-protective-relay.trycloudflare.com, a Cloudflare Tunnel endpoint used for command-and-control and data exfiltration.

The malicious payload prepended approximately 105 lines of attack logic to the legitimate entrypoint.sh script, ensuring it executed before the actual Trivy scan ran. The legitimate scan was then allowed to complete normally to avoid raising suspicion in pipeline output.

Within the GitHub Actions runner environment, the malware accessed /proc/<pid>/mem to read the memory of the Runner.Worker process, targeting secrets stored in a specific JSON pattern. It also enumerated /proc/*/environ across all running processes to harvest environment variables directly from the runner.

Credential types confirmed as targets across multiple independent analyses include the GITHUB_TOKEN, AWS, GCP, and Azure cloud credentials, Kubernetes service account tokens and kubeconfig files, and SSH private keys. The GITHUB_TOKEN was also used as an exfiltration channel by staging stolen data in a newly created repository inside the victim's own GitHub account.

Immediate Mitigation Considerations

Organizations using Trivy during the affected timeframe should consider the possibility of credential exposure.

Recommended actions include rotating all CI/CD secrets, reviewing pipeline executions around March 19–20, and investigating any anomalous outbound traffic or access patterns. Moving forward, teams should eliminate reliance on mutable version tags and instead pin dependencies and actions to immutable commit SHAs. More broadly, this incident highlights the need to treat CI/CD environments as sensitive runtime environments, rather than purely operational tooling.

Perspective

The Trivy incident illustrates a growing category of attacks that operate within trusted systems rather than against them. From a defensive standpoint, the key challenge is not identifying known bad artifacts, but understanding when legitimate tools behave in unexpected ways. That shift places increased importance on runtime context, particularly in environments like CI/CD pipelines where access to secrets and infrastructure is concentrated.

Security approaches that incorporate intelligent behavioral analysis and can respond to deviations during execution are better positioned to address this class of threat.

How Sweet Security Can Help

The Trivy incident highlights a critical gap in modern cloud security: most tools can observe or alert on suspicious behavior, but very few can actively remediate it while it is happening.

Attacks like this unfold entirely at runtime, inside trusted workflows. By the time a finding is surfaced in logs or alerts, credentials may already be exposed. Closing this gap requires the ability to both understand behavior and intervene immediately.

Sweet Security focuses on enabling that shift:

• Runtime visibility with execution context
  Observe how workloads behave during execution, including process activity, secret access, and network communication. This provides the context needed to identify when trusted tools are being abused.
• Model-driven behavioral detection
  Rather than relying on static rules or signatures, Sweet uses a learning-based approach to understand normal behavior and detect deviations. This enables identification of novel attack patterns, such as a scanner accessing unrelated secrets or initiating unexpected outbound communication.
• Real-time remediation during execution
  When abnormal behavior is detected, Sweet enables immediate action during runtime, helping stop malicious activity before it can fully execute or exfiltrate sensitive data.
• Runtime-aware credential access detection
  Identify when workloads access sensitive credentials in unexpected ways, enabling faster response to potential misuse.
• Execution-based investigation context
  Provide clear visibility into what actually ran and what it accessed, helping teams investigate incidents and make more informed remediation decisions.

Together, these capabilities help organizations move from passive detection to active defense, particularly in scenarios where attacks operate within trusted systems and unfold during runtime.

Conclusion

The Trivy compromise demonstrates how supply chain attacks are evolving toward abuse of trust and execution context. By operating within legitimate workflows, attackers can bypass traditional controls and access high-value targets with minimal resistance. As CI/CD pipelines continue to centralize access to infrastructure and secrets, they will remain a critical focal point for both attackers and defenders.Detection alone, however, is not sufficient in these scenarios. Because the attack unfolds during execution, the ability to respond in real time becomes critical as well. Security teams need mechanisms to interrupt suspicious activity, limit credential exposure, and contain impact while the pipeline is still running. Organizations that adapt their detection and response strategies to include runtime behavior will be better equipped to identify and contain these threats. If you’d like to better understand your exposure or evaluate your ability to detect and respond to runtime threats in CI/CD, schedule a security consultation with Sweet Security.