Hackers have compromised nearly all versions of Aqua Security’s widely used Trivi vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them.
Trivi maintainer Itay Shakuri confirmed the compromise on Friday after rumors and threads discussing the incident were deleted by the attackers. The attack started in the early hours of Thursday. When this was done, the threat actor used the stolen credentials to force-push the trivi-action tag and all but one of the seven setup-trivi tags to access the malicious dependency.
Assume your pipelines have been compromised
Forced push is a git command that overrides a default protection mechanism that protects existing commits from being overwritten. Trivi is a vulnerability scanner that developers use to detect vulnerabilities and inadvertently hardcoded authentication secrets in pipelines to develop and deploy software updates. The scanner has 33,200 stars on GitHub, which is a high rating that indicates it is widely used.
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakuri wrote.
Security firms Socket and Viz said the malware, triggered in 75 compromised trivia-action tags, causes custom malware to completely scour development pipelines, including developer machines for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may reside there. Once found, the malware encrypts the data and sends it to an attacker-controlled server.
The end result, Sockett said, is that any CI/CD pipeline using software that references the compromised version tag executes code as soon as the Trivi scan is run. Fake version tags include the widely used @0.34.2, @0.33, and @0.18.0. It appears that only version @0.35.0 is unaffected.
<a href