https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
reports that a compromised credential with write access to the repository
was used to modify 75 out of 76 version tags in the aquasecurity/trivy-action
repository, the official GitHub Action for running Trivy vulnerability scans in
CI/CD pipelines.
The tags were modified to point to a commit that runs an infostealer malware
before running the expected vulnerability scan.
The blog post provides far more detail on what the injected malware does,
how the attackers modified the tags and tried to hide their changes, and
how this was detected.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
