Widely used Trivy scanner compromised in ongoing supply-chain attack

Hackers compromised Aqua Security's Trivy vulnerability scanner in a supply-chain attack, impacting developers and organizations. The attack involved pushing malicious dependencies using stolen credentials, affecting most Trivy tags. Trivy, a widely used scanner with 33,200 GitHub stars, inadvertently exposed authentication secrets in pipelines. Security firms Socket and Wiz warned that the malware targets development pipelines for sensitive data like GitHub tokens and SSH keys. Users are advised to treat compromised versions as compromised and rotate secrets immediately.