Home / Companies / Crowdstrike / Blog / Post Details
Content Deep Dive

From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise

Blog post from Crowdstrike

Post Details
Company
Date Published
Author
Aqua Security
Word Count
3,576
Company Posts That Month
Language
English
Hacker News Points
-
Post removed?
No
Summary

CrowdStrike's analysis uncovered a complex supply chain compromise involving the trivy-action GitHub Action, commonly used in CI/CD pipelines. The compromise involved 76 out of 77 release tags of the vulnerability scanner being retroactively poisoned through a technique known as git tag repointing. This allowed a multi-stage credential stealer to execute silently before the legitimate scanner, enabling the theft of sensitive credentials and information from affected workflows. The attack exploited GitHub Actions' trust model, where actions are referenced by tags that can be silently altered, thereby highlighting the vulnerabilities in mutable references within software supply chains. Aqua Security confirmed the compromise and removed the malicious artifacts, while CrowdStrike's detection mechanisms identified the unusual script behavior, providing protection and investigation capabilities for affected organizations. The analysis underscores the importance of pinning actions by commit SHA, monitoring CI/CD environments with diligence, and treating pipeline code with the same scrutiny as production code to mitigate similar threats in the future.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Secrets Management 7 437 72 18 +103%
AI Agents 4 2,394 1,321 1 -
Kubernetes 1 1,086 169 37 +2%
OpenClaw 1 No monthly metrics for this publish month.
Real-time 1 1,659 640 46 +203%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.