Hackers have compromised nearly all variations of Aqua Safety’s broadly used Trivy vulnerability scanner in an ongoing provide chain assault that might have wide-ranging penalties for builders and the organizations that use them.
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The assault started within the early hours of Thursday. When it was completed, the risk actor had used stolen credentials to force-push all however one of many trivy-action tags and 7 setup-trivy tags to make use of malicious dependencies.
Assume your pipelines are compromised
A compelled push is a git command that overrides a default security mechanism that protects in opposition to overwriting current commits. Trivy is a vulnerability scanner that builders use to detect vulnerabilities and inadvertently hardcoded authentication secrets and techniques in pipelines for creating and deploying software program updates. The scanner has 33,200 stars on GitHub, a excessive score that signifies it’s used broadly.
“In the event you suspect you have been working a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury wrote.
Safety companies Socket and Wiz stated that the malware, triggered in 75 compromised trivy-action tags, causes customized malware to completely scour improvement pipelines, together with developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and no matter different secrets and techniques might reside there. As soon as discovered, the malware encrypts the info and sends it to an attacker-controlled server.
The tip outcome, Socket stated, is that any CI/CD pipeline utilizing software program that references compromised model tags executes code as quickly because the Trivy scan is run. Spoofed model tags embrace the broadly used @0.34.2, @0.33, and @0.18.0. Model @0.35.0 seems to be the one one unaffected.
