Hackers have compromised just about all variations of Aqua Safety’s extensively used Trivy vulnerability scanner in an ongoing provide chain assault that would have wide-ranging penalties for builders and the organizations that use them.
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The assault started within the early hours of Thursday. When it was executed, the risk actor had used stolen credentials to force-push all however one of many trivy-action tags and 7 setup-trivy tags to make use of malicious dependencies.
Assume your pipelines are compromised
A forced push is a git command that overrides a default security mechanism that protects in opposition to overwriting current commits. Trivy is a vulnerability scanner that builders use to detect vulnerabilities and inadvertently hardcoded authentication secrets and techniques in pipelines for creating and deploying software program updates. The scanner has 33,200 stars on GitHub, a excessive ranking that signifies it’s used extensively.
“Should you suspect you had been operating a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury wrote.
Safety corporations Socket and Wiz stated that the malware, triggered in 75 compromised trivy-action tags, causes customized malware to completely scour growth pipelines, together with developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and no matter different secrets and techniques might stay there. As soon as discovered, the malware encrypts the info and sends it to an attacker-controlled server.
The tip consequence, Socket stated, is that any CI/CD pipeline utilizing software program that references compromised model tags executes code as quickly because the Trivy scan is run. Spoofed model tags embrace the extensively used @0.34.2, @0.33, and @0.18.0. Model @0.35.0 seems to be the one one unaffected.
