{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33634", "tracking": { "current_release_date": "2026-03-31T16:56:43.429481Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33634", "initial_release_date": "2026-03-24T20:41:36.433633Z", "revision_history": [ { "date": "2026-03-24T20:41:36.433633Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:41:38.711569Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:41:56.301635Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (3).| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:42:16.627977Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:50:54.721743Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-24T21:37:20.164477Z", "number": "6", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-25T01:00:03.176952Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-25T01:00:07.238600Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-25T04:39:31.653852Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-25T09:58:27.229279Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-25T12:31:31.551892Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| News created (1)." }, { "date": "2026-03-25T12:31:35.509570Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-25T13:15:45.432109Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-25T13:18:18.523941Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-25T13:39:02.529352Z", "number": "15", "summary": "Exploits created (1)." }, { "date": "2026-03-25T13:39:06.784619Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-03-25T14:25:30.863484Z", "number": "17", "summary": "References created (1)." }, { "date": "2026-03-25T14:25:33.012842Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-25T15:27:19.485273Z", "number": "19", "summary": "References created (6)." }, { "date": "2026-03-25T15:39:54.422961Z", "number": "20", "summary": "Products created (1).| References created (6)." }, { "date": "2026-03-25T15:39:56.912401Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:12:52.015386Z", "number": "22", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| Product Identifiers created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T17:44:57.780458Z", "number": "23", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products created (1).| Exploits created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T17:45:04.055194Z", "number": "24", "summary": "NCSC Score updated." }, { "date": "2026-03-26T18:25:16.509322Z", "number": "25", "summary": "References created (3)." }, { "date": "2026-03-26T18:38:45.704207Z", "number": "26", "summary": "References created (3).| Unknown change." }, { "date": "2026-03-26T20:39:01.860373Z", "number": "27", "summary": "Products connected (1).| Products removed (1)." }, { "date": "2026-03-26T20:39:05.245471Z", "number": "28", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:24:57.538654Z", "number": "29", "summary": "CVSS created.| Products created (5).| Product Identifiers created (5).| Exploits created (2)." }, { "date": "2026-03-26T21:25:00.553274Z", "number": "30", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:38:43.432080Z", "number": "31", "summary": "References created (1)." }, { "date": "2026-03-27T01:24:43.274040Z", "number": "32", "summary": "References created (1)." }, { "date": "2026-03-27T20:56:39.025514Z", "number": "33", "summary": "EPSS updated." }, { "date": "2026-03-27T20:56:43.724523Z", "number": "34", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:38:00.997120Z", "number": "35", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:57:46.405684Z", "number": "36", "summary": "Description removed for source.| Description created for source.| References created (11)." }, { "date": "2026-03-28T08:10:39.881457Z", "number": "37", "summary": "Description removed for source.| Description created for source.| References removed (11)." }, { "date": "2026-03-29T01:16:15.924709Z", "number": "38", "summary": "Description removed for source.| Description created for source.| References created (11)." }, { "date": "2026-03-29T14:56:55.255172Z", "number": "39", "summary": "EPSS updated." }, { "date": "2026-03-30T13:22:46.679617Z", "number": "40", "summary": "Source created.| CVE status created. (valid)| Products created (5).| Product Identifiers created (3).| References created (3)." }, { "date": "2026-03-30T13:22:49.247368Z", "number": "41", "summary": "NCSC Score updated." }, { "date": "2026-03-30T15:25:48.868330Z", "number": "42", "summary": "References created (1)." }, { "date": "2026-03-30T15:25:58.844049Z", "number": "43", "summary": "NCSC Score updated." }, { "date": "2026-03-30T15:39:04.404782Z", "number": "44", "summary": "Products created (1).| References created (1)." }, { "date": "2026-03-30T19:24:45.400874Z", "number": "45", "summary": "Products created (2).| Product Identifiers created (2)." }, { "date": "2026-03-30T22:12:57.417812Z", "number": "46", "summary": "Description removed for source.| Description created for source.| References created (1)." }, { "date": "2026-03-31T12:20:14.085992Z", "number": "47", "summary": "NCSC Score updated." }, { "date": "2026-03-31T16:56:37.891844Z", "number": "48", "summary": "EPSS updated." } ], "status": "interim", "version": "48" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=1.82.7|<=1.82.8", "product": { "name": "vers:unknown/>=1.82.7|<=1.82.8", "product_id": "CSAFPID-5906759" } } ], "category": "product_name", "name": "LiteLLM" } ], "category": "vendor", "name": "BerriAI" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.69.4", "product": { "name": "vers:unknown/0.69.4", "product_id": "CSAFPID-5965115", "product_identification_helper": { "cpe": "cpe:/a:aquasec:trivy:0.69.4" } } }, { "category": "product_version_range", "name": "vers:unknown/container image 0.69.5", "product": { "name": "vers:unknown/container image 0.69.5", "product_id": "CSAFPID-5965116", "product_identification_helper": { "cpe": "cpe:/a:aquasec:trivy:0.69.5::container_image" } } }, { "category": "product_version_range", "name": "vers:unknown/container image 0.69.6", "product": { "name": "vers:unknown/container image 0.69.6", "product_id": "CSAFPID-5965113", "product_identification_helper": { "cpe": "cpe:/a:aquasec:trivy:0.69.6::container_image" } } }, { "category": "product_version_range", "name": "vers:unknown/setup-trivy <0.2.6", "product": { "name": "vers:unknown/setup-trivy <0.2.6", "product_id": "CSAFPID-5965117" } }, { "category": "product_version_range", "name": "vers:unknown/trivy-action <0.35.0", "product": { "name": "vers:unknown/trivy-action <0.35.0", "product_id": "CSAFPID-5965114" } } ], "category": "product_name", "name": "Trivy" } ], "category": "vendor", "name": "Aqua Security" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-5918267" } } ], "category": "product_name", "name": "Trivy" } ], "category": "vendor", "name": "Aquasecurity" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/1.82.7", "product": { "name": "vers:unknown/1.82.7", "product_id": "CSAFPID-5919251", "product_identification_helper": { "cpe": "cpe:2.3:a:litellm:litellm:1.82.7:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/1.82.8", "product": { "name": "vers:unknown/1.82.8", "product_id": "CSAFPID-5919252", "product_identification_helper": { "cpe": "cpe:2.3:a:litellm:litellm:1.82.8:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "litellm" } ], "category": "vendor", "name": "litellm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.2.6", "product": { "name": "vers:unknown/<0.2.6", "product_id": "CSAFPID-5919248", "product_identification_helper": { "cpe": "cpe:2.3:a:aquasec:setup-trivy:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "setup-trivy" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.69.4", "product": { "name": "vers:unknown/0.69.4", "product_id": "CSAFPID-5919249", "product_identification_helper": { "cpe": "cpe:2.3:a:aquasec:trivy:0.69.4:*:*:*:*:go:*:*" } } } ], "category": "product_name", "name": "trivy" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.35.0", "product": { "name": "vers:unknown/<0.35.0", "product_id": "CSAFPID-5919250", "product_identification_helper": { "cpe": "cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "trivy_action" } ], "category": "vendor", "name": "aquasec" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.2.6", "product": { "name": "vers:unknown/<0.2.6", "product_id": "CSAFPID-5901537" } } ], "category": "product_name", "name": "setup-trivy" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.69.4", "product": { "name": "vers:unknown/0.69.4", "product_id": "CSAFPID-5907194", "product_identification_helper": { "purl": "pkg:golang/github.com/aquasecurity/trivy@0.69.4" } } } ], "category": "product_name", "name": "trivy" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.35.0", "product": { "name": "vers:unknown/<0.35.0", "product_id": "CSAFPID-5901538" } } ], "category": "product_name", "name": "trivy-action" } ], "category": "vendor", "name": "aquasecurity" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=4.87.1|<=4.87.2", "product": { "name": "vers:unknown/>=4.87.1|<=4.87.2", "product_id": "CSAFPID-5965389" } } ], "category": "product_name", "name": "telnyx" } ], "category": "vendor", "name": "team-telnyx" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/4.87.1", "product": { "name": "vers:unknown/4.87.1", "product_id": "CSAFPID-5965577", "product_identification_helper": { "cpe": "cpe:2.3:a:telnyx:telnyx:4.87.1:*:*:*:*:python:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/4.87.2", "product": { "name": "vers:unknown/4.87.2", "product_id": "CSAFPID-5965578", "product_identification_helper": { "cpe": "cpe:2.3:a:telnyx:telnyx:4.87.2:*:*:*:*:python:*:*" } } } ], "category": "product_name", "name": "telnyx" } ], "category": "vendor", "name": "telnyx" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33634", "cwe": { "id": "CWE-506", "name": "Embedded Malicious Code" }, "notes": [ { "category": "description", "text": "Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33634" }, { "category": "description", "text": "Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33634.json" }, { "category": "description", "text": "## Summary\n\nOn March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.\n\nOn March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.\n\n## Exposure Window\n\n| Component | Start (UTC) | End (UTC) | Duration |\n| ------------- | ---------------------- | ----------------- | --------- |\n| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |\n| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |\n| setup-trivy | 2026-03-19 ~17:43 [^2] | 2026-03-19 ~21:44 | ~4 hours |\n| dockerhub trivy images v0.69.5 and v0.69.6 | 2026-03-22 15:43 | 2026-03-22 ~01:40 | ~10 hours |\n\n[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline.\n[^2]: Earliest suspicious activity observed in our audit log.\n## Affected Components\n\nNote that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.\n\n### `trivy` binary and image\n\nUsers are affected if they utilized:\n1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM.\n2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub.\n3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.\n\nUsers are not affected if they utilized:\n1. trivy (binary or image) version v0.69.3 or earlier.\n\t1. v0.69.3 is protected by GitHub's [immutable releases](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) feature (enabled March 3, before v0.69.3 was published).\n\t2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see \"How to Verify\" section below).\n2. trivy images referenced by digest.\n4. trivy binaries built from source.\n\t1. The malicious code was not committed to Trivy's main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed.\n5. homebrew from official formula (`brew install trivy`)\n\t1. The [official homebrew formula](https://github.com/Homebrew/homebrew-core/blob/785817ba05ed32eef15490bb105f67bd973aa7c2/Formula/t/trivy.rb) is building trivy directly from source.\n\t2. There's an additional custom [trivy tap](https://github.com/aquasecurity/homebrew-trivy) which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.\n\n### `aquasecurity/trivy-action` GitHub Action\n\nUsers are affected if they utilized:\n1. Any tags prior except 0.35.0 (0.0.1 – 0.34.2) to reference the action.\n2. the action's `version: latest` parameter explicitly (not the default) during the trivy binary exposure window.\n3. SHA pinning to a commit prior to 2025-04-09.\n\t1. trivy-action started pinning setup-go with pull request [trivy-action#456](https://github.com/aquasecurity/trivy-action/pull/456#event-17180670975). If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.\n\nUsers are not affected if they utilized:\n1. 0.35.0 tag\n\t1. 0.35.0 is protected by GitHub's immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack.\n2. SHA pinning to a safe commit commit after 2025-04-09.\n\n### `aquasecurity/setup-trivy` GitHub Action\n\nUsers are affected if they utilized:\n1. Any version without pinning.\n\nUsers are not affected if they utilized:\n1. SHA pinning to a safe commit.\n\n## Attack Details\n\n### Root Cause\n\nThis incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.\n### Trivy v0.69.4 binary and container images\n\nThe attacker created a malicious release by:\n1. Pushing a commit (`1885610c`) that swapped the `actions/checkout` reference to an imposter commit (`70379aad`) containing a composite action that downloaded malicious Go source files from a typosquatted domain\n2. Adding `--skip=validate` to goreleaser to bypass binary validation\n3. Tagging this commit as `v0.69.4`, triggering the release pipeline\n\nThe compromised release was distributed across Trivy's regular distribution channels channels: GHCR, ECR Public, Docker Hub (both `0.69.4` and `latest` tags), deb/rpm packages, and `get.trivy.dev`.\n\nThe attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.\n### trivy-action tag hijacking\n\nThe attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into `entrypoint.sh`. The malicious code executes before the legitimate Trivy scan and does the following:\n\n1. Dumps `Runner.Worker` process memory via `/proc//mem` to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, `.env` files, database credentials, and cryptocurrency wallets.\n2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.\n3. Transmits to attacker-controlled infrastructure. If exfiltration fails and `INPUT_GITHUB_PAT` is set, creates a public `tpcp-docs` repository on the victim's GitHub account and uploads stolen data as a release asset.\n\n### setup-trivy release replacement\n\nAll 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious `action.yaml` contained the same infostealer as trivy-action, injected as a \"Setup environment\" step that executes before the legitimate Trivy installation. \nWe have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 – v0.2.5 were not restored.\n\n### Trivy v0.69.5 and v0.69.6 docker image published.\nThe attacker created `aquasec/trivy:0.69.5` and `aquasec/trivy:0.69.6` with the same C2 domain as the `v0.69.4` payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed.\nWe have removed all tags related to `0.69.5` and `0.69.6` and restored the latest tag to the safe `0.69.3` tag.\n\n## Recommended Actions\n\n### Update to Known-Safe Versions\n\n| Component | Safe Version |\n| ------------ | ---------------- |\n| Trivy binary | v0.69.2, v0.69.3 |\n| trivy-action | v0.35.0 |\n| setup-trivy | v0.2.6 |\n\nRegarding trivy-action: The original tags (`0.0.1` – `0.34.2`) were deleted during remediation. Because the attacker's force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a `v` prefix (`v0.0.1` – `v0.34.2`) pointing to the original legitimate commits. Three tags: `v0.0.10`, `v0.34.1`, and `v0.34.2` have not yet been restored. If you need to reference a version older than 0.35.0, use the `v`-prefixed tag (e.g., `aquasecurity/trivy-action@v0.34.0` instead of `@0.34.0`). \n### Rotate All Potentially Exposed Secrets\n\nBased on information shared above, if there is any possibility that a compromised version ran in a project's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.\n### Audit Trivy Versions\nCheck whether a project's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.\n### Audit GitHub Action References\nReview all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Check workflow run logs from March 19–20, 2026 for signs of compromise.\n### Search for Exfiltration Artifacts\nLook for repositories named `tpcp-docs` in project's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.\n### Pin GitHub Actions to Full SHA Hashes\nPin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions\n## How to Verify Existing Installations\n\n### Binary verification\n\n```bash\n# Download binary and sigstore bundle\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz\"\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json\"\n\n# Verify signature\n$ cosign verify-blob \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \\\n trivy_0.69.2_Linux-64bit.tar.gz\nVerified OK\n\n# Check signing timestamp\n$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)\nSat Mar 1 19:11:02 UTC 2026\n# ✅ Signed on Mar 1, before the attack on Mar 19\n```\n\n### Container image verification\n\n```bash\n# Verify signature and get image digest\n$ cosign verify \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --new-bundle-format \\\n ghcr.io/aquasecurity/trivy:0.69.2\nVerification for ghcr.io/aquasecurity/trivy:0.69.2 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority certificates\n\n# Get digest and check all signing timestamps via Rekor\n$ DIGEST=$(cosign verify \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2>/dev/null | \\\n jq -r '.[0].critical.image.\"docker-manifest-digest\"')\n\n$ rekor-cli search --sha \"$DIGEST\" | grep -v 'Found' | while read uuid; do\n rekor-cli get --uuid \"$uuid\" | grep IntegratedTime\n done\nIntegratedTime: 2026-03-01T19:13:52Z\nIntegratedTime: 2026-03-01T19:13:47Z\nIntegratedTime: 2026-03-01T19:13:57Z\nIntegratedTime: 2026-03-01T19:13:54Z\nIntegratedTime: 2026-03-01T19:13:46Z\nIntegratedTime: 2026-03-01T19:13:37Z\n# ✅ All signed on Mar 1, before the attack on Mar 19\n```\n\n## Resources\n\n- https://github.com/aquasecurity/trivy/discussions/10425", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-69fq-xp46-6x23.json?alt=media" }, { "category": "description", "text": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.\nApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "title": "cisagov - https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" }, { "category": "description", "text": "## Summary\n\nOn March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits.\nOn March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.\n\n## Exposure Window\n\n| Component | Start (UTC) | End (UTC) | Duration |\n| ------------- | ---------------------- | ----------------- | --------- |\n| trivy v0.69.4 | 2026-03-19 18:22 [^1] | 2026-03-19 ~21:42 | ~3 hours |\n| trivy-action | 2026-03-19 ~17:43 [^2] | 2026-03-20 ~05:40 | ~12 hours |\n| setup-trivy | 2026-03-19 ~17:43 [^2] | 2026-03-19 ~21:44 | ~4 hours |\n| dockerhub trivy images v0.69.5 and v0.69.6 | 2026-03-22 15:43 | 2026-03-23 ~01:40 | ~10 hours |\n\n[^1]: Time when v0.69.4 release artifacts became publicly available. The malicious tag was pushed at ~17:43 UTC, triggering the release pipeline.\n[^2]: Earliest suspicious activity observed in our audit log.\n## Affected Components\n\nNote that all malicious components, artifacts, commits, etc have been removed from all sources and destinations (yet they may linger in intermediary caches). Use this information to understand if you have been exposed to the malicious artifacts during the exposure window.\n\n### `trivy` binary and image\n\nYou are affected if you used:\n1. trivy binaries version v0.69.4 (or latest during the exposure window) distributed via GitHub, Deb, RPM.\n2. trivy container images v0.69.4 (or latest during the exposure window) distributed via GHCR, ECR public, Docker Hub.\n3. trivy container images v0.69.5 and v0.69.6 (or latest during the exposure window) distributed via Docker Hub.\n\nYou are not affected if you used:\n1. trivy (binary or image) version v0.69.3 or earlier.\n\t1. v0.69.3 is protected by GitHub's [immutable releases](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) feature (enabled March 3, before v0.69.3 was published).\n\t2. v0.69.2 predates immutable releases enablement but integrity can be verified via sigstore signatures (see \"How to Verify\" section below).\n2. trivy images referenced by digest.\n4. trivy binaries built from source.\n\t1. The malicious code was not committed to Trivy's main branch. It was fetched and built on the ephemeral runner, and also committed to a v0.70.0 branch but no release or git tag was ever pushed.\n5. homebrew from official formula (`brew install trivy`)\n\t1. The [official homebrew formula](https://github.com/Homebrew/homebrew-core/blob/785817ba05ed32eef15490bb105f67bd973aa7c2/Formula/t/trivy.rb) is building trivy directly from source.\n\t2. There's an additional custom [trivy tap](https://github.com/aquasecurity/homebrew-trivy) which was compromised as part of the v0.69.4 release, but that tap requires special installation and is not even mentioned in the trivy documentation.\n\n### `aquasecurity/trivy-action` GitHub Action\n\nYou are affected if you used:\n1. Any tags prior except 0.35.0 (0.0.1 – 0.34.2) to reference the action.\n2. the action's `version: latest` parameter explicitly (not the default) during the trivy binary exposure window.\n3. SHA pinning to a commit prior to 2025-04-09.\n\t1. trivy-action started pinning setup-go with pull request [trivy-action#456](https://github.com/aquasecurity/trivy-action/pull/456#event-17180670975). If you pinned trivy-action to a commit prior to that PR (merged 2025-04-09), then you would get a safe trivy-action but it would get a malicious setup-trivy, if invoked during the setup-trivy exposure window.\n\nYou are not affected if you used:\n1. 0.35.0 tag\n\t1. 0.35.0 is protected by GitHub's immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack.\n2. SHA pinning to a safe commit commit after 2025-04-09.\n\n### `aquasecurity/setup-trivy` GitHub Action\n\nYou are affected if you used:\n1. Any version without pinning.\n\nYou are not affected if you used:\n1. SHA pinning to a safe commit.\n\n## Attack Details\n\n### Root Cause\n\nThis incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.\n### Trivy v0.69.4 binary and container images\n\nThe attacker created a malicious release by:\n1. Pushing a commit (`1885610c`) that swapped the `actions/checkout` reference to an imposter commit (`70379aad`) containing a composite action that downloaded malicious Go source files from a typosquatted domain\n2. Adding `--skip=validate` to goreleaser to bypass binary validation\n3. Tagging this commit as `v0.69.4`, triggering the release pipeline\n\nThe compromised release was distributed across Trivy's regular distribution channels channels: GHCR, ECR Public, Docker Hub (both `0.69.4` and `latest` tags), deb/rpm packages, and `get.trivy.dev`.\n\nThe attacker attempted to release a v0.70.0 malicious release but that was stopped prematurely.\n### trivy-action tag hijacking\n\nThe attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into `entrypoint.sh`. The malicious code executes before the legitimate Trivy scan and does the following:\n\n1. Dumps `Runner.Worker` process memory via `/proc//mem` to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, `.env` files, database credentials, and cryptocurrency wallets.\n2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.\n3. Transmits to attacker-controlled infrastructure. If exfiltration fails and `INPUT_GITHUB_PAT` is set, creates a public `tpcp-docs` repository on the victim's GitHub account and uploads stolen data as a release asset.\n\n### setup-trivy release replacement\n\nAll 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious `action.yaml` contained the same infostealer as trivy-action, injected as a \"Setup environment\" step that executes before the legitimate Trivy installation. \nWe have removed all malicious releases within ~4 hours and re-created v0.2.6 with safe content. Tags v0.2.0 – v0.2.5 were not restored.\n\n### Trivy v0.69.5 and v0.69.6 docker image published.\nThe attacker created `aquasec/trivy:0.69.5` and `aquasec/trivy:0.69.6` with the same C2 domain as the `v0.69.4` payload, and pushed them directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub). No corresponding GitHub tags or releases existed.\nWe have removed all tags related to `0.69.5` and `0.69.6` and restored the latest tag to the safe `0.69.3` tag.\n\n## Recommended Actions\n\n### Update to Known-Safe Versions\n\n| Component | Safe Version |\n| ------------ | ---------------- |\n| Trivy binary | v0.69.2, v0.69.3 |\n| trivy-action | v0.35.0 |\n| setup-trivy | v0.2.6 |\n\nRegarding trivy-action: The original tags (`0.0.1` – `0.34.2`) were deleted during remediation. Because the attacker's force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a `v` prefix (`v0.0.1` – `v0.34.2`) pointing to the original legitimate commits. Three tags: `v0.0.10`, `v0.34.1`, and `v0.34.2` have not yet been restored. If you need to reference a version older than 0.35.0, use the `v`-prefixed tag (e.g., `aquasecurity/trivy-action@v0.34.0` instead of `@0.34.0`). \n### Rotate All Potentially Exposed Secrets\n\nBased on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.\n### Audit Trivy Versions\nCheck whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.\n### Audit GitHub Action References\nReview all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Check workflow run logs from March 19–20, 2026 for signs of compromise.\n### Search for Exfiltration Artifacts\nLook for repositories named `tpcp-docs` in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.\n### Pin GitHub Actions to Full SHA Hashes\nPin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions\n## How to Verify Existing Installations\n\n### Binary verification\n\n```bash\n# Download binary and sigstore bundle\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz\"\ncurl -sLO \"https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json\"\n\n# Verify signature\n$ cosign verify-blob \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \\\n trivy_0.69.2_Linux-64bit.tar.gz\nVerified OK\n\n# Check signing timestamp\n$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)\nSat Mar 1 19:11:02 UTC 2026\n# ✅ Signed on Mar 1, before the attack on Mar 19\n```\n\n### Container image verification\n\n```bash\n# Verify signature and get image digest\n$ cosign verify \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --new-bundle-format \\\n ghcr.io/aquasecurity/trivy:0.69.2\nVerification for ghcr.io/aquasecurity/trivy:0.69.2 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority certificates\n\n# Get digest and check all signing timestamps via Rekor\n$ DIGEST=$(cosign verify \\\n --certificate-identity-regexp 'https://github\\.com/aquasecurity/' \\\n --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2>/dev/null | \\\n jq -r '.[0].critical.image.\"docker-manifest-digest\"')\n\n$ rekor-cli search --sha \"$DIGEST\" | grep -v 'Found' | while read uuid; do\n rekor-cli get --uuid \"$uuid\" | grep IntegratedTime\n done\nIntegratedTime: 2026-03-01T19:13:52Z\nIntegratedTime: 2026-03-01T19:13:47Z\nIntegratedTime: 2026-03-01T19:13:57Z\nIntegratedTime: 2026-03-01T19:13:54Z\nIntegratedTime: 2026-03-01T19:13:46Z\nIntegratedTime: 2026-03-01T19:13:37Z\n# ✅ All signed on Mar 1, before the attack on Mar 19\n```\n\n\n## Indicators of Compromise\n\n### Executable binaries\n\n| SHA256 | Filename |\n| ------------------------------------------------------------------ | ----------------------------------- |\n| `c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239` | `trivy_0.69.4_FreeBSD_64bit.tar.gz` |\n| `cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3` | `trivy_0.69.4_Linux-32bit.deb` |\n| `55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80` | `trivy_0.69.4_Linux-32bit.rpm` |\n| `ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76` | `trivy_0.69.4_Linux-32bit.tar.gz` |\n| `0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311` | `trivy_0.69.4_Linux-64bit.deb` |\n| `a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317` | `trivy_0.69.4_Linux-64bit.rpm` |\n| `385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6` | `trivy_0.69.4_Linux-64bit.tar.gz` |\n| `8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a` | `trivy_0.69.4_Linux-ARM.deb` |\n| `c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f` | `trivy_0.69.4_Linux-ARM.rpm` |\n| `f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332` | `trivy_0.69.4_Linux-ARM.tar.gz` |\n| `9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70` | `trivy_0.69.4_Linux-ARM64.deb` |\n| `451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0` | `trivy_0.69.4_Linux-ARM64.rpm` |\n| `e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef` | `trivy_0.69.4_Linux-ARM64.tar.gz` |\n| `284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57` | `trivy_0.69.4_Linux-PPC64LE.deb` |\n| `5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6` | `trivy_0.69.4_Linux-PPC64LE.rpm` |\n| `52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857` | `trivy_0.69.4_Linux-PPC64LE.tar.gz` |\n| `62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8` | `trivy_0.69.4_Linux-s390x.deb` |\n| `107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd` | `trivy_0.69.4_Linux-s390x.rpm` |\n| `16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a` | `trivy_0.69.4_Linux-s390x.tar.gz` |\n| `90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad` | `trivy_0.69.4_macOS-64bit.tar.gz` |\n| `1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b` | `trivy_0.69.4_macOS-ARM64.tar.gz` |\n| `0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d` | `trivy_0.69.4_windows_64bit.zip` |\n| `822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0` | `trivy_0.69.4_linux_amd64` |\n| `e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf` | `trivy_0.69.4_linux_arm64` |\n| `d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c` | `trivy_0.69.4_s390x` |\n| `ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c` | `trivy_0.69.4_ppc64le` |\n\n### Container images (v0.69.4)\n\n| Digest | Tag |\n| ------------------------------------------------------------------------- | ------------------------ |\n| `sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3` | `0.69.4` |\n| `sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2` | `0.69.4-linux/amd64` |\n| `sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed` | `0.69.4-linux/arm64` |\n| `sha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427` | `0.69.4-linux/ppc64le` |\n| `sha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef` | `0.69.4- linux/s390x` |\n| `sha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589` | `0.69.4-signature` |\n| `sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b` | `0.69.5` |\n| `sha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a` | `0.69.5-linux/arm64`
|\n| `sha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc` | `0.69.5-linux/ppc64le` |\n| `sha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414` | `0.69.5-linux/s390x` |\n| `sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33` | `0.69.6` |\n| `sha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef` | `0.69.6-linux/amd64` |\n| `sha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696` | `0.69.6-linux/arm64` |\n| `sha256:9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593` | `0.69.6-linux/ppc64le` |\n| `sha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07` | `0.69.6-linux/s390x` |\n\n### Network\nC2/sinks:\n- `scan.aquasecurtiy.org`\n- `45.148.10.212`\n\n### GitHub Repositories\n\nPublic repo on victim's GitHub account with `tpcp-docs-` prefix.\nStolen data uploaded as a release asset with tag `data-`.", "title": "github - https://api.github.com/advisories/GHSA-69fq-xp46-6x23" }, { "category": "other", "text": "0.21153", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "title": "CVSSV4" }, { "category": "other", "text": "9.4", "title": "CVSSV4 base score" }, { "category": "other", "text": "5.0", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Certbundde, There is product data available from a private source", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, There is exploit data available from source Cveprojectv5", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5901537", "CSAFPID-5901538", "CSAFPID-5906759", "CSAFPID-5907194", "CSAFPID-5918267", "CSAFPID-5919248", "CSAFPID-5919249", "CSAFPID-5919250", "CSAFPID-5919251", "CSAFPID-5919252", "CSAFPID-5965113", "CSAFPID-5965114", "CSAFPID-5965115", "CSAFPID-5965116", "CSAFPID-5965117", "CSAFPID-5965389", "CSAFPID-5965577", "CSAFPID-5965578" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33634" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33634.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-69fq-xp46-6x23" }, { "category": "external", "summary": "Source - securityweek", "url": "https://www.securityweek.com/from-trivy-to-broad-oss-compromise-teampcp-hits-docker-hub-vs-code-pypi/" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-69fq-xp46-6x23.json?alt=media" }, { "category": "external", "summary": "Source - cisagov", "url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0898.json" }, { "category": "external", "summary": "News - securityweek", "url": "https://www.securityweek.com/from-trivy-to-broad-oss-compromise-teampcp-hits-docker-hub-vs-code-pypi/" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/aquasecurity/trivy/discussions/10425" }, { "category": "external", "summary": "Reference - certbundde; cveprojectv5; github; nvd; osv", "url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23" }, { "category": "external", "summary": "Reference - cisagov; github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33634" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-69fq-xp46-6x23" }, { "category": "external", "summary": "Reference - github; nvd", "url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/BerriAI/litellm/issues/24518" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://docs.litellm.ai/blog/security-update-march-2026" }, { "category": "external", "summary": "Reference - github", "url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0898.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0898" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5901537", "CSAFPID-5901538", "CSAFPID-5906759", "CSAFPID-5907194", "CSAFPID-5918267", "CSAFPID-5919248", "CSAFPID-5919249", "CSAFPID-5919250", "CSAFPID-5919251", "CSAFPID-5919252", "CSAFPID-5965113", "CSAFPID-5965114", "CSAFPID-5965115", "CSAFPID-5965116", "CSAFPID-5965117", "CSAFPID-5965389", "CSAFPID-5965577", "CSAFPID-5965578" ] } ], "title": "CVE-2026-33634" } ] }