On March 19, 2026, the Trivy vulnerability scanner was compromised for the second time in three weeks. Attackers force-pushed 75 out of 76 version tags in aquasecurity/trivy-action to deliver an infostealer that scrapes runner memory, harvests cloud credentials, and exfiltrates everything via encrypted channels. Here’s my full analysis of the malware payload and what you need to do if your workflows were affected.
Trivy GitHub Actions Compromised: Full Malware Payload Analysis
