alt.hn

3/20/2026 at 2:04:51 AM

Aquasecurity/Trivy GitHub Repository and Homebrew Cask Compromised (again)

by mmsc

3/20/2026 at 2:08:31 AM

The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).

Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.

by mmsc

3/20/2026 at 6:58:59 AM

Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420

by man8alexd

3/20/2026 at 10:16:04 AM

Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?

by jl6

3/20/2026 at 10:31:12 AM

Grype, Clair

by man8alexd