On March 19, 2026, attackers hijacked Trivy, one of the most widely used open-source security scanners in the world, and turned it into a credential-stealing backdoor active inside thousands of CI/CD pipelines. Here is how Unique AI was not among the victims, and why.
What happened
Trivy, published by Aqua Security, is an open-source tool that scans software for known security vulnerabilities. It is embedded in the automated build pipelines of tens of thousands of technology companies worldwide, including many in the financial services sector. Security teams trust it precisely because it is a security tool.
That trust became the attack vector.
A threat actor group identified as TeamPCP had quietly gained a foothold in Aqua Security's infrastructure weeks before the attack, exploiting a misconfigured automation workflow. Aqua detected that earlier breach and rotated credentials, but the rotation was incomplete. The attackers retained access via credentials that survived the cleanup.
What followed was a two-phase attack spanning nearly three weeks, and one of the most sophisticated supply chain compromises of security tooling on record:
-
Late February 2026
Attackers exploit a misconfigured pull_request_target workflow in Trivy's GitHub Actions, a known dangerous pattern that grants write permissions to code from untrusted forks. An autonomous bot named hackerbot-claw uses this to steal a Personal Access Token with repository write access.
-
March 1, 2026
First disclosure: incomplete remediation. Aqua Security discovers the earlier breach and publicly discloses it. Credentials are rotated, but the rotation is not comprehensive. The threat actor retains access via at least one credential that survives the cleanup, maintaining their foothold inside Aqua's release infrastructure for another 18 days.
-
March 19, 17:43 UTC
Tag poisoning begins. Using the surviving credential, attackers force-push 76 of 77 version tags in the trivy-action repository, silently redirecting them to malicious code. All 7 tags in the companion setup-trivy action are also poisoned. Any pipeline referencing these tags by name now runs attacker code, with no visible change to the repository.
-
March 19, 18:22 UTC
Malicious binary published. A backdoored Trivy binary (v0.69.4) is pushed to GitHub Releases, Docker Hub, the GitHub Container Registry, and the Amazon ECR public gallery, all through Aqua Security's own authenticated accounts. The binary is indistinguishable from a legitimate release.
-
March 19 → March 22
Credential harvesting at scale. The malware reads directly from process memory on GitHub Actions runners, bypassing log masking. It harvests SSH keys, cloud provider tokens (AWS, GCP, Azure), Kubernetes credentials, Docker configurations, TLS private keys, and database passwords. Everything collected is encrypted with AES-256 + RSA-4096 and exfiltrated to a command-and-control server. The attack runs silently: pipelines appear to complete successfully.
-
March 20, 05:40 UTC
Aqua Security removes the malicious GitHub Actions artifacts. Safe version guidance is published. However, attackers push additional malicious Docker Hub images (v0.69.5, v0.69.6, latest) on March 22, extending the exposure window by another ten hours.
-
March 23, 08:00 UTC
Docker Hub quarantines remaining compromised images in coordination with Aqua Security. The last known clean release of Trivy is v0.69.3. More than 1,000 cloud environments are confirmed compromised industry-wide.
The attack carries CVE-2026-33634 with a critical severity rating.
Why this attack was so effective
To understand why over a thousand organizations were hit, it helps to understand a fundamental assumption baked into most CI/CD pipelines: that a version tag is a stable, trustworthy reference.
When a developer writes uses: aquasecurity/trivy-action@v0.28.0 in a GitHub Actions workflow, they expect that tag to always point to the same code they reviewed and approved. But version tags in Git are mutable pointers. Anyone with write access to a repository can silently move a tag to point at entirely different code, without changing the workflow file that references it, without creating a new release, and without triggering any automated alerts.
"Version tags can be moved to point at malicious commits, as demonstrated in this attack. Every CI/CD pipeline that referenced these actions by tag name began running the attacker's code on its next execution, with no visible change on GitHub to alert maintainers or consumers."
Microsoft Security Blog
The malicious code was also designed for stealth: it ran before the legitimate Trivy scanner, so pipelines appeared to complete normally and produced real scan results. Commit metadata was spoofed; the malicious commits displayed the correct author name, message, and timestamp of a legitimate prior commit, making forensic investigation harder. The exfiltration channel used a typosquatted domain (scan.aquasecurtiy[.]org) that closely mirrored Aqua Security's legitimate domain. Network monitoring tools relying on exact string matching would not have flagged it.
How Unique AI was protected
Unique AI was not impacted by this attack. That outcome was not accidental; it was the result of specific, deliberate engineering controls embedded in our secure software delivery lifecycle. The following controls together ensured we had no exposure during the entire window of the attack.
Control 1
SHA pinning of all third-party GitHub Actions
Every external GitHub Action in our pipelines is pinned to a full, immutable commit SHA, not a version tag. A version tag can be silently moved; a commit SHA cannot. Even if an attacker force-pushes every tag in a repository, our workflows reference code that has not changed.
Control 2
Digest pinning for container images
Where Trivy is used as a container image, we pin by digest (image@sha256:...), not by tag. The latest tag was re-pointed to malicious content multiple times during this attack. Our pipelines pulled the exact bytes we approved, regardless of what the tag pointed to.
Control 3
Minimal CI/CD secret exposure
We apply least-privilege principles to GitHub Actions runner environments. Secrets are scoped narrowly to the jobs that require them, with short-lived tokens where possible. This limits the blast radius if a pipeline is ever compromised, as an attacker would find a smaller surface to harvest.
What this means for our customers
Unique AI serves regulated financial institutions, including banks, asset managers, and insurers, for whom a credential compromise in a cloud environment is not an abstract risk. It can mean unauthorized access to production systems, exposure of confidential data, and regulatory notification obligations under DORA and GDPR Article 33.
We want to be transparent about two things. First: our own environment was not compromised in this incident. The controls described above produced the outcome we designed them for. Second: if you are a financial institution running Trivy or related Aqua Security open-source tooling in your own infrastructure or CI/CD pipelines, independently of Unique AI, you should verify your exposure using the published indicators of compromise and guidance from Aqua Security, Docker, and Microsoft.
If you may be affected
Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Check pipeline logs from March 19–22, 2026 for outbound connections to unfamiliar domains, unexpected process execution, or the creation of a repository named tpcp-docs in your GitHub organization. All secrets accessible to runner environments during the affected window must be treated as potentially compromised and rotated immediately.
The last known clean release of the Trivy binary is v0.69.3. The following Docker Hub image digests are confirmed compromised. If any of these appear in your local image store, registry mirrors, or Artifactory/Nexus caches, treat the environment as exposed:
|
v0.69.6
|
sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33 |
|
v0.69.5
|
sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b |
|
v0.69.4
|
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3 |
Safe version guidance and a full list of indicators of compromise are available in Aqua Security's official advisory.
The broader pattern
The Trivy attack did not emerge in isolation. It is the most sophisticated entry yet in a clear and accelerating escalation of software supply chain attacks: SolarWinds in 2020, Codecov in 2021, the tj-actions/changed-files compromise in 2025, and now this. Each attack has refined the technique, and each one has targeted the software delivery infrastructure that organizations depend on to ship and secure their own products.
The lesson is not that open-source tooling cannot be trusted. Open-source software remains foundational to how secure, modern systems are built. The lesson is that trust must be anchored to specific, verified artifacts, not to names or tags. The code we run in our pipelines should be the exact code we reviewed, pinned to an immutable reference, with changes requiring deliberate human approval.
That principle guided the controls we built. It is why, during a week when over a thousand cloud environments were compromised, Unique AI's pipelines ran exactly the code they were supposed to.
When the Scanner Becomes the Weapon
On March 19, 2026, attackers hijacked Trivy, one of the most widely used open-source security scanners in the world, and turned it into a credential-stealing backdoor active inside thousands of CI/CD pipelines. Here is how Unique AI was not among the victims, and why.
What happened
Trivy, published by Aqua Security, is an open-source tool that scans software for known security vulnerabilities. It is embedded in the automated build pipelines of tens of thousands of technology companies worldwide, including many in the financial services sector. Security teams trust it precisely because it is a security tool.
That trust became the attack vector.
A threat actor group identified as TeamPCP had quietly gained a foothold in Aqua Security's infrastructure weeks before the attack, exploiting a misconfigured automation workflow. Aqua detected that earlier breach and rotated credentials, but the rotation was incomplete. The attackers retained access via credentials that survived the cleanup.
What followed was a two-phase attack spanning nearly three weeks, and one of the most sophisticated supply chain compromises of security tooling on record:
pull_request_targetworkflow in Trivy's GitHub Actions, a known dangerous pattern that grants write permissions to code from untrusted forks. An autonomous bot namedhackerbot-clawuses this to steal a Personal Access Token with repository write access.trivy-actionrepository, silently redirecting them to malicious code. All 7 tags in the companionsetup-trivyaction are also poisoned. Any pipeline referencing these tags by name now runs attacker code, with no visible change to the repository.The attack carries CVE-2026-33634 with a critical severity rating.
Why this attack was so effective
To understand why over a thousand organizations were hit, it helps to understand a fundamental assumption baked into most CI/CD pipelines: that a version tag is a stable, trustworthy reference.
When a developer writes
uses: aquasecurity/trivy-action@v0.28.0in a GitHub Actions workflow, they expect that tag to always point to the same code they reviewed and approved. But version tags in Git are mutable pointers. Anyone with write access to a repository can silently move a tag to point at entirely different code, without changing the workflow file that references it, without creating a new release, and without triggering any automated alerts.The malicious code was also designed for stealth: it ran before the legitimate Trivy scanner, so pipelines appeared to complete normally and produced real scan results. Commit metadata was spoofed; the malicious commits displayed the correct author name, message, and timestamp of a legitimate prior commit, making forensic investigation harder. The exfiltration channel used a typosquatted domain (
scan.aquasecurtiy[.]org) that closely mirrored Aqua Security's legitimate domain. Network monitoring tools relying on exact string matching would not have flagged it.How Unique AI was protected
Unique AI was not impacted by this attack. That outcome was not accidental; it was the result of specific, deliberate engineering controls embedded in our secure software delivery lifecycle. The following controls together ensured we had no exposure during the entire window of the attack.
Every external GitHub Action in our pipelines is pinned to a full, immutable commit SHA, not a version tag. A version tag can be silently moved; a commit SHA cannot. Even if an attacker force-pushes every tag in a repository, our workflows reference code that has not changed.
Where Trivy is used as a container image, we pin by digest (
image@sha256:...), not by tag. Thelatesttag was re-pointed to malicious content multiple times during this attack. Our pipelines pulled the exact bytes we approved, regardless of what the tag pointed to.We apply least-privilege principles to GitHub Actions runner environments. Secrets are scoped narrowly to the jobs that require them, with short-lived tokens where possible. This limits the blast radius if a pipeline is ever compromised, as an attacker would find a smaller surface to harvest.
What this means for our customers
Unique AI serves regulated financial institutions, including banks, asset managers, and insurers, for whom a credential compromise in a cloud environment is not an abstract risk. It can mean unauthorized access to production systems, exposure of confidential data, and regulatory notification obligations under DORA and GDPR Article 33.
We want to be transparent about two things. First: our own environment was not compromised in this incident. The controls described above produced the outcome we designed them for. Second: if you are a financial institution running Trivy or related Aqua Security open-source tooling in your own infrastructure or CI/CD pipelines, independently of Unique AI, you should verify your exposure using the published indicators of compromise and guidance from Aqua Security, Docker, and Microsoft.
Review all workflows using
aquasecurity/trivy-actionoraquasecurity/setup-trivy. Check pipeline logs from March 19–22, 2026 for outbound connections to unfamiliar domains, unexpected process execution, or the creation of a repository namedtpcp-docsin your GitHub organization. All secrets accessible to runner environments during the affected window must be treated as potentially compromised and rotated immediately.The last known clean release of the Trivy binary is v0.69.3. The following Docker Hub image digests are confirmed compromised. If any of these appear in your local image store, registry mirrors, or Artifactory/Nexus caches, treat the environment as exposed:
v0.69.6
v0.69.5
v0.69.4
Safe version guidance and a full list of indicators of compromise are available in Aqua Security's official advisory.
The broader pattern
The Trivy attack did not emerge in isolation. It is the most sophisticated entry yet in a clear and accelerating escalation of software supply chain attacks: SolarWinds in 2020, Codecov in 2021, the
tj-actions/changed-filescompromise in 2025, and now this. Each attack has refined the technique, and each one has targeted the software delivery infrastructure that organizations depend on to ship and secure their own products.The lesson is not that open-source tooling cannot be trusted. Open-source software remains foundational to how secure, modern systems are built. The lesson is that trust must be anchored to specific, verified artifacts, not to names or tags. The code we run in our pipelines should be the exact code we reviewed, pinned to an immutable reference, with changes requiring deliberate human approval.
That principle guided the controls we built. It is why, during a week when over a thousand cloud environments were compromised, Unique AI's pipelines ran exactly the code they were supposed to.