It happened in the shadows of your supply chain. While you were sleeping, threat actors burrowed into Aqua Security’s CI/CD pipeline and did something genuinely sinister: they weaponized Trivy, one of the most trusted vulnerability scanners in the container ecosystem.
Between March 19 at 18:24 UTC and March 23 at 01:36 UTC, 2026, anyone running specific versions of the Trivy image from Docker Hub—versions 0.69.4, 0.69.5, 0.69.6, or the catch-all latest tag—may have handed their most sensitive credentials directly to attackers. AWS keys. SSH credentials. Docker tokens. Kubernetes secrets. All of it.
This wasn’t a vulnerability in code. This was a full-spectrum compromise of the distribution mechanism itself.
How the Attack Actually Unfolded
Here’s what makes this so gnarly: the attackers didn’t hack Docker Hub directly. Instead, they compromised Aqua Security’s own credentials, then used them to push poisoned images through legitimate channels. Think of it like a burglar stealing a bank manager’s keycard. The security system saw authenticated, authorized access—which meant Docker Hub’s defenses never flagged it as malicious.
Starting on March 19, 2026 at 18:24 UTC, threat actors compromised Aqua Security’s CI/CD pipeline to push malware into the aquasec/trivy vulnerability scanner images.
The attackers were patient. When Aqua Security noticed the compromise on March 20 and cleaned it up, the threat actors didn’t disappear. Instead, they re-pointed the latest tag back to poisoned content. Then, two days later, they came back again with fresh contaminated builds—0.69.5 and 0.69.6. It was a three-wave assault.
The infostealer they embedded didn’t do anything fancy. It just exfiltrated everything of value: CI/CD secrets, cloud provider credentials (AWS, GCP, Azure), SSH keys, Docker registry tokens, even environment variables. If your system ran one of these images, assume your secrets are compromised.
Why This Matters More Than You Think
This isn’t just about Trivy. This is about the entire foundation of how we trust software distribution in 2026.
Trivy is a scanner—it’s meant to find vulnerabilities in your code. It’s supposed to be security infrastructure. But it became the vector. That’s like discovering your smoke detector has been installed by arsonists. The trust is inverted, weaponized, nullified.
And here’s the thing that keeps security teams awake: Trivy runs in CI/CD pipelines, often with permission to pull Docker images, access cloud credentials, and interact with your Kubernetes clusters. Many deployments mount the Docker socket directly (-v /var/run/docker.sock:/var/run/docker.sock), which means a compromised Trivy container essentially had root access to the host machine. If you ran one of the poisoned images with socket mounting enabled, you need to treat your entire infrastructure as compromised.
This is a supply chain attack in the truest sense. The attackers didn’t target your code or your business logic. They targeted the infrastructure you use to verify your code is safe. They turned your guardian into a ghost.
Who Got Hit (And How to Know If It’s You)
Not everyone’s affected. Docker Hardened Images (DHI) versions of Trivy weren’t compromised. GitHub releases, npm packages—those went through different pipelines. But if you pulled from Docker Hub specifically between those dates with those tags, you’re in the danger zone.
The cleanup started around March 23 at 08:00 UTC when Docker caught wind of the compromise. By that evening, the poisoned images were deleted. But deletion doesn’t help if you already pulled them into your local registries, your artifact repositories, or your CI/CD caches.
You need to hunt for these three digest hashes in your infrastructure:
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3(0.69.4)sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b(0.69.5)sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33(0.69.6)
If any of these show up in your local image stores, registries, Artifactory instances, or Nexus caches—you’ve got work to do.
What You Should Do Right Now
If those digests exist on your systems, remove the images immediately. Then, and this is critical, rotate every credential that system could have accessed. Docker tokens, AWS keys, Azure service principals, SSH keys, Kubernetes tokens—everything.
Pin to version 0.69.3, the last known clean release, or wait for a verified new release from Aqua Security. Don’t use latest for a while. That tag just became radioactive.
If you ran the poisoned image with the Docker socket mounted, you need to treat that entire host as potentially compromised. Assume the attacker had root access. Act accordingly.
The Deeper Problem This Exposes
Here’s my take: this incident reveals something uncomfortable about how we’ve structured the open-source supply chain. We’ve built this beautiful ecosystem of trust—public repositories, automatic updates, continuous integration—but we’ve done it on a foundation of credentials and authentication that’s surprisingly fragile. One compromised CI/CD account, and suddenly thousands of developers downstream are running malware.
It’s like building a massive highway system and then discovering the fuel stations are run by people who occasionally poison the pumps. The infrastructure itself is sound. The attack vector is just… human.
The ecosystem needs what I’d call cryptographic supply chain enforcement—signed, verifiable releases with hardware-backed keys, image scanning before execution, pin-based deployments rather than tag-based ones. Trivy itself was supposed to help with that. The irony is brutal.
But we’re not there yet. So for now, verify your digests. Rotate your credentials. Trust, but verify—and then verify again.
FAQs
Will Trivy be safe to use again? Yes, but wait for Aqua Security to release a verified clean version. Version 0.69.3 is confirmed safe. When new releases drop, check release notes and signatures carefully. Don’t jump on new versions immediately.
Do I need to replace Trivy entirely? No. Trivy’s code wasn’t backdoored. This was a supply chain attack, not a code vulnerability. Once you’re running a clean version, it’s fine. Just be more cautious about which distribution channel you use.
What if I pulled Trivy but I’m not sure which version?
Run docker image inspect <image-id> and check the digest. Compare it against the three compromised hashes listed in Docker’s advisory. If it matches, you’re affected. If not, you’re clear—but still rotate your credentials if there’s any chance that system accessed sensitive data.
