CriticalCISA KEVExploited in the wildPublic exploit

Trivy supply chain compromise via malicious release and retagged GitHub Actions

IdentifiersCVE-2026-33634CWE-506· Embedded Malicious CodeAlso known asghsa_69fq_xp46_6x23

CVE-2026-33634 tracks a software supply chain compromise affecting Aqua Security's Trivy distribution infrastructure. On 2026-03-19, a threat actor using compromised credentials published a malicious Trivy v0.69.4 release and force-pushed 76 of 77 version tags in aquasecurity/trivy-action plus all 7 tags in aquasecurity/setup-trivy to attacker-controlled commits containing credential-stealing malware. The incident was described as a continuation of an earlier compromise from late February 2026, where incomplete, non-atomic credential rotation may have allowed the attacker to retain access. The malicious artifacts abused trust in official release channels and mutable GitHub Action tags so that workflows resolving tags rather than immutable commit SHAs could execute attacker code. Affected components include the aquasecurity/trivy Go binary and container image version 0.69.4, aquasecurity/trivy-action versions 0.0.1 through 0.34.2, and aquasecurity/setup-trivy versions 0.2.0 through 0.2.6 prior to recreation of 0.2.6 with a safe commit.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in execution of attacker-controlled code in CI/CD and developer environments that consume the compromised Trivy release or GitHub Actions tags. The payload was reported to steal secrets accessible to affected pipelines, including GitHub tokens, SSH keys, cloud credentials, Kubernetes secrets, environment variables, and other sensitive material. Because the compromise occurred in trusted upstream artifacts and action tags, downstream organizations could unknowingly expose build secrets and enable follow-on intrusions into source repositories, cloud environments, and adjacent software supply chains. The content indicates real-world downstream impact, including theft of credentials and compromise of victim build infrastructure.

Mitigation

If you can’t patch tonight, do this now.

Pin GitHub Actions to full, immutable commit SHA hashes rather than mutable version tags. Audit GitHub organizations and workflow logs for indicators of compromise, including repositories named tpcp-docs, which may indicate fallback exfiltration. Limit secret exposure in CI/CD runners, reduce token scope, and ensure future credential rotations are atomic so old and new credentials cannot overlap. Monitor for unauthorized artifact pulls or executions of Trivy v0.69.4 and for suspicious activity in repositories that consumed affected tags during the exposure window.

Remediation

Patch, then assume compromise.

Upgrade or revert to known safe versions identified in the advisory: Trivy binary/container image 0.69.2 or 0.69.3, aquasecurity/trivy-action 0.35.0, and aquasecurity/setup-trivy 0.2.6 only after its safe recreation. Remove any affected artifacts immediately and verify whether Trivy v0.69.4 was pulled or executed from any source. Review workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy, especially runs from 2026-03-19 through 2026-03-20 if version tags rather than full commit SHAs were referenced. If compromised versions may have run, treat all secrets accessible to those pipelines as exposed and rotate them immediately.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 4 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 4 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AquasecSetup-Trivyapplication

AquasecTrivyapplication

AquasecTrivy Actionapplication

LitellmLitellmapplication

TelnyxTelnyxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

92 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

92 SOURCESView more in app

handlers diary fullNews

Apr 27, 2026

TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns

A specific vulnerability tracked in CISA KEV and associated in this reporting with the broader TeamPCP campaign context; the content does not describe the technical flaw itself.

handlers diary fullNews

Apr 27, 2026

A specific vulnerability tracked in CISA KEV and associated in this report with the broader TeamPCP campaign context, but the content does not describe the technical nature of the flaw.

handlers diary fullNews

Apr 27, 2026

A specific vulnerability tracked in CISA KEV and associated in this reporting with the broader TeamPCP campaign context; the content does not describe the technical flaw itself.

halcyon attacks lookoutNews

Apr 17, 2026

Trivy Supply Chain Compromise Enters Extortion Phase as Vect Ransomware Publishes First Victim

A supply chain compromise of Aqua Security's Trivy distribution infrastructure in which malicious code and weaponized binaries were pushed across official Trivy delivery channels, enabling theft of CI/CD secrets and downstream compromise at scale.

+41 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence61

Every observed campaign linking this CVE to a named adversary.

Associated malware47

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity44

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33634

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33634

MITRE CWE · CWE-506

Embedded Malicious Code

Vendor Advisory

github.com/aquasecurity/trivy/discussions/10425

Vendor Advisory

github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

Mitigation

github.com/BerriAI/litellm/issues/24518

Mitigation

github.com/BerriAI/litellm/issues/24518

Third Party Advisory

docs.litellm.ai/blog/security-update-march-2026

Third Party Advisory

futuresearch.ai/blog/litellm-pypi-supply-chain-attack

Third Party Advisory

github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml

Third Party Advisory

github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc

Third Party Advisory

rosesecurity.dev/2026/03/20/typosquatting-trivy.html

+2 more references

view more in app