News
List of products affected by the Trivy supply chain attack
Last updated: April 2, 2026
overview
Trivy is an open-source vulnerability scanner developed by Aqua Security. It can detect vulnerabilities, misconfigurations, secrets, and SBOMs across a wide range of targets, including container images, file systems, Git repositories, and cloud environments, and is used in a variety of applications, such as integration into CI/CD pipelines.
On March 27, 2026, a supply chain attack on the open-source container scanning tool Trivy was announced. According to public information, some Trivy-related resources were attacked, and information-stealing malware may have been distributed.
Furthermore, given that CISA recommends prioritizing responses to vulnerabilities that have been confirmed to be exploited through its Known Exploited Vulnerabilities (KEV) Catalog, we recommend prioritizing the verification and response of these vulnerabilities.
This document outlines the details of the supply chain attack and identifies the affected products and components, compiling the information necessary for verifying usage and determining appropriate responses.
List of products and components affected
The following is a list of products and components that have been confirmed to be affected, or are potentially affected, in this supply chain attack, based on publicly available information and our own investigation. This list includes not only products handled by SIDfm, but also other products.
If you meet the "Applicable Conditions" in the table below, you may have been affected.
The content will be added and updated as further research and publicly available information are released.
| Products / Components | Implementation Route | Version | Period of falsification | Applicable conditions | judgement | reference |
| aquasec/trivy | Docker Hub | v0.69.4,v0.69.5,v0.69.6,latest | v0.69.4: 2026-03-19 18:22–21:42 UTC (about 3 hours)
v0.69.5–v0.69.6: 2026-03-22 15:43–2026-03-23 01:40 UTC (about 10 hours) |
I usedthe above tags by pulling them from Docker. | Yes | Aqua Blog |
| Trivy Binary | GitHub Releases | v0.69.4 | 2026-03-19 18:22–21:42 UTC (approximately 3 hours) | I downloaded and used the version from GitHub Releases. | Yes | Aqua Blog |
| aquasecurity/trivy-action | GitHub Actions | 0.0.1 – 0.34.2 | 2026-03-19 17:43 UTC – 2026-03-20 05:40 UTC (about 12 hours) | Using the version in question via tag reference (without SHA fixation). | Yes | CVE-2026-33634 |
| aquasecurity/setup-trivy | GitHub Actions | 0.2.0 – 0.2.5 (< 0.2.6) | 2026-03-19 17:43–21:44 UTC (approximately 4 hours) | Using the version in question via tag reference (without SHA fixation). | Yes | CVE-2026-33634 |
| Checkmarx/kics-github-action | GitHub Actions | Affected tags (details not yet publicly available) | 2026-03-23 12:58–16:50 UTC (approximately 4 hours) | I used tag referencing (without SHA fixation). The secure version is v2.1.20 or later. | Possible | Aqua Blog |
| Checkmarx/ast-github-action | GitHub Actions | Affected tags (details not yet publicly available) | 2026-03-23 (Details not yet announced) | I used tag referencing (without SHA fixation).
The safe version is v2.3.33 or later. |
Possible | Aqua Blog |
| Trivy VSCode Extension | Open VSX | 1.8.12 (Open VSX distribution version) | not clear | I installed and used that version from Open VSX. | Yes | CVE-2026-28353 |
| cx-dev-assist | Open VSX | v1.7.0 | 2026-03-23 02:53–15:41 UTC (approximately 13 hours) | I installed and used the above version from Open VSX. | Yes | Aqua Blog |
| ast-results | Open VSX | v2.53.0 | 2026-03-23 02:53–15:41 UTC (approximately 13 hours) | I installed and used the above version from Open VSX. | Yes | Aqua Blog |
| litellm | PyPI | v1.82.7,v1.82.8 | 2026-03-24 (details unknown) | I installed and used the above version from PyPI. | Yes | CanisterWorm |
| telnyx | PyPI | 4.87.1、4.87.2 | 2026-03-27 03:51–10:13 UTC (approximately 6 hours) | I installed and used the above version from PyPI. | Yes | CanisterWorm |
* "Introduction route" indicates where the target was introduced from (e.g.,Docker Hub).
* "Specific Version (Details Unknown)" refers to items whose scope of impact has not been identified in publicly available information.
* The "Exposure Window" time is shown in UTC (Coordinated Universal Time) (JST is UTC+9 hours).
* For detailed information on the impact conditions, please refer to the source (primary information) for each line.
* The "Judgment" is divided into "Yes (Impact Confirmed)" and "Possible (Potential Impact)".
* npm Packages are,Public information on CanisterWormPlease also check the complete list of packages available.
*If applicableThis includes secret rotation, suspicious repositories (tpcp-docs,docs-tpcpConfirmation of etc.Please rebuild and redistribute the software as soon as possible, and then consider consulting with a security expert.
Related incidents observed during the same period
Around the same time, a supply chain attack on axios distributed via npm was reported. While no official connection has been confirmed to the impact on Trivy itself, we are posting this as a related cautionary note due to the possibility of a similar OSS supply chain attack occurring around the same time.
Google Threat Intelligence Group (GTIG/Mandiant) analyzed this incident as being caused by the North Korea-related threat actor UNC1069.
On the other hand, a different threat actor, UNC6780 (also known as TeamPCP), is believed to have been involved in the series of supply chain attacks related to Trivy, Checkmarx, and LiteLLM.
The attack on axios may have deployed the WAVESHAPER.V2 backdoor (a RAT compatible with Windows, macOS, and Linux) via the plain-crypto-js package.
| Products / Components | Implementation Route | Version | Period of falsification | Applicable conditions | judgement | reference |
| axios / plain-crypto-js | npm | axios@1.14.1,axios@0.30.4,plain-crypto-js@4.2.1 | 2026-03-31 00:21 ~ 03:15 (UTC) | If you obtain and installaxios@1.14.1oraxios@0.30.4using npm | Yes | axios/axios: deprecate.yml (GitHub)axios issue #10604: 1.14.1 and 0.30.4 are compromised (GitHub)Socket: Axios npm package compromised |
How to check for and deal with suspected infections
How to check the version:
If you are using axios v1.14.1 / v0.30.4 with npm, please update immediately (using the `npm list axios` command, etc.).
If you ran `npm install` between 2026-03-31 00:21 and03:15 (UTC), you may be infected.
Unlike Trivy, the axios case has been reported to involve the deployment of a RAT (Remote Access Trojan). This can make tracking difficult, but the following information may remain:
- /tmp/ used for communication with the C2 serverlRemaining d.py file
- Communication to the C2 domain sfrclak[.]com was detected along the way.
If you suspect a security breach, please consider consulting a security expert.
*If there is a large amount of information regarding axios, we will consider providing further updates.
How to check for and deal with suspected infections
How to identify products and components that may be susceptible to infection
- The YAML file under .github/workflows/ contains a description of trivy-action or setup-trivy.
- Obtained and used the aquasec/trivy image from Docker Hub.
- I downloaded and used the Trivy binary (v0.69.4) from GitHub Releases.
- Utilizing scanning features such as GitLab Container Registry / yamory (those using Trivy as their scanning engine)
- Using Harbor, with Trivy set as the scan engine.
- Using the Python package litellm (v1.82.7 / v1.82.8) or telnyx (v4.87.1 / v4.87.2)
- Install Trivy VSCode Extension (v1.8.12), cx-dev-assist (v1.7.0), or ast-results (v2.53.0) from Open VSX.
How to deal with a suspected infection
Secret Rotation
Please immediately rotate the secrets being used in the relevant workflow or environment. Below are some examples of secrets.
GitHub PAT
AWS Access Key
GCP Service Account Key
Azure Service Principal
Kubernetes service account token
Docker Hub credentials
SSH key
Database password
Check and delete suspicious repositories
Please check your organization's GitHub organization. If repositories such as tpcp-docs / docs-tpcp exist, these are the repository names created during the breach in this incident. We recommend that you immediately make them private or delete them and consult with a security expert.
Update to a secure version
Even if you cannot confirm that a breach has occurred, please check the "List of Products and Components Affected" mentioned above and immediately update to a secure version.
Preservation of records such as CI/CD execution logs.
To ensure that we can investigate as needed, we recommend preserving various logs and cloud API activity logs (such as CloudTrail) for the relevant period.
Preventive measures
If for any reason it is difficult to update the version or take fundamental action, or if you want to reduce the possibility of future infections as much as possible, please consider the following measures.
- Migrate GitHub Actions version references from tags to commit SHA fixation.
- Minimize the number of secrets passed to the CI/CD runner. Implement measures such as separating permissions based on their purpose to minimize the scope of damage in the event of a breach.
Summary of Scan Engines for Major Container Registries
Major public container registries offer vulnerability scans in different ways. While some services utilize Trivy, many cloud providers opt for configurations that integrate with their own managed functions (such as Inspector, Artifact Analysis, and Defender).
Scan engine adoption by registry
| registry | Engine used | Main points | Reference information |
| Docker Hub | Docker Scout | We have migrated from the old Snyk integration to Docker Scout. In addition to vulnerability scanning, we now also support SBOM generation and supply chain analysis. | Docker Scout Documentation |
| GitHub Container Registry (GHCR) | GitHub native features + Actions / external scanners | GHCR's primary purpose is the storage and management of container images. Vulnerability scanning is typically implemented by combining it with GitHub Actions or external scanners. | GitHub Docs |
| Amazon ECR | Basic scanning / Amazon Inspector | Two types of scans are offered: basic and advanced. Advanced scans utilize Amazon Inspector. | AWS Documentation |
| Quay.io | Clair | Scanning by Clair, which is natively integrated into Quay, is enabled. | Quay documentation |
| GitLab Container Registry | Tri-V | I switched from Clair to Trivy, which I now use as my standard scanning tool. | GitLab Documentation |
| Google Artifact Registry | Artifact Analysis | Vulnerability information is provided through Artifact Analysis's registry scanning. | Google Cloud Documentation |
| Azure Container Registry | Microsoft Defender for container registries | We provide vulnerability scanning capabilities for container registries through Defender for Cloud. | Microsoft Learn |
| Harbor | Trivy (standard) / Clair etc. | Multiple scanners are available, with Trivy being the current standard. | Harbor Document |
Reference information
- CISA, “CISA Adds One Known Exploited Vulnerability to Catalog,”CISA, March 26, 2026.
- rami.io, “Team PCP Timeline,”ramimac.me.
- “GitHub Discussion (Incident Summary),”GitHub.
- Aqua Security, “Ongoing Investigation and Continued Remediation (Trivy Supply Chain Attack),”Aqua Security Blog.
- “CVE-2026-26189 (trivy-action command injection),”NVD.
- “CVE-2026-26189,”Aqua AVD.
- “CVE-2026-28353 (Trivy VSCode Extension),”Aqua AVD.
- “CVE-2026-28353,”NVD.
- “GHSA-69fq-xp46-6×23,”GitLab Advisory Mirror.
- “CVE-2026-33634,”CVE.org.
- “CanisterWorm – Details of the npm supply chain attack,”socket.dev.
- “Docker Scout Documentation,”Docker Docs.
- “Working with the Container registry,”GitHub Docs.
- “Scan container images for software vulnerabilities in Amazon ECR,”AWS Documentation.
- “Project Quay Documentation,”Project Quay Docs.
- “Container Scanning,”GitLab Docs.
- “Container Scanning overview,”Google Cloud Docs.
- “Defender for container registries,”Microsoft Learn.
- “Vulnerability Scanning,”Harbor Documentation.
- Checkmarx, “Checkmarx Security Update,”Checkmarx Blog.
- BerriAI, “Security Update March 2026,”LiteLLM Docs.
- “PYSEC-2026-2 (litellm),”PyPA Advisory Database.
- Telnyx, “Telnyx Python SDK Supply Chain Security Notice,”Telnyx.
- “PYSEC-2026-3 (telnyx),”OSV.
- “Supply Chain Attack on Axios Pulls Malicious Dependency from npm,”Socket Blog.
- “npm user jasonsaayman,”Socket Package Intelligence.
- TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
- Google Cloud, “North Korea Threat Actor Targets Axios npm Package,”Google Cloud Blog.
Update History
- April 2, 2026
- Related incidents observed during the same period
- I've added the GTIG analysis results.
- I've added the GTIG analysis results.
- Related incidents observed during the same period
- April 1, 2026
- The following content has been added.
- Related incidents observed during the same period
- How to check for and deal with suspected infections
- How to identify products and components that may be susceptible to infection
- How to deal with a suspected infection
- The following content has been added.
- March 31, 2026
- New release
[Disclaimer]
This information is based on publicly available information and our own research, and is provided for informational purposes only.
While we strive to ensure the accuracy of the information provided, we cannot guarantee its completeness, and it may be subject to change depending on future circumstances.
When deciding on a course of action, please also refer to official sources and other relevant information.