Trivy Security Scanner Hacked in Supply-Chain Attack

The Trivy vulnerability scanner—used by thousands of companies to find security flaws in their code—has been compromised. Attackers injected malicious code into the tool, meaning anyone who downloaded it recently may have pulled malware straight into their systems.

Trivy is one of the most popular open-source security scanners in the world. DevOps teams and CI/CD pipelines use it constantly to scan container images and code repositories for vulnerabilities. If your organization relies on it, there’s a decent chance you downloaded a poisoned version.

The attack appears to be ongoing. The bad news: if you pulled a compromised build, secrets stored in your environment—API keys, credentials, tokens—are likely exposed. The recommendation from security teams is blunt: rotate everything. Assume attackers have access to your authentication material and change it now.

This joins a growing list of supply-chain attacks targeting developer tools. Last year saw similar compromises of widely-used packages and repositories. The attack surface keeps expanding because tool creators have become high-value targets. Compromise one popular scanner, and you compromise thousands of companies at once.