CVE-2026-33634

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 26, 2026 with a remediation deadline of April 9, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-33634 is a supply chain compromise affecting the Aquasecurity Trivy security scanner ecosystem. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. The attack also extended to the PyPI packages litellm (versions 1.82.7–1.82.8) and telnyx (versions 4.87.1–4.87.2). The flaw is classified as CWE-506: Embedded Malicious Code.

Supply Chain Attack: Continuation of February 2026 Compromise

This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic — not all credentials were revoked simultaneously. The attacker could have used a still-valid token to exfiltrate newly rotated secrets during the rotation window (which lasted several days), allowing them to retain access and execute the March 19 attack.

Multi-vector attack. The attacker compromised multiple distribution channels simultaneously: GitHub releases, GitHub Actions version tags, Docker Hub images, and PyPI packages — making this one of the most far-reaching open-source supply chain attacks in 2026.

What the Malicious Code Did

Process memory dumping: Dumped Runner.Worker process memory via /proc/<pid>/mem to extract CI/CD secrets.
Credential harvesting: Swept 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, .env files, database credentials, and cryptocurrency wallets.
Encrypted exfiltration: Encrypted collected data using AES-256-CBC with RSA-4096 hybrid encryption and transmitted to attacker-controlled infrastructure.
Fallback exfiltration: If direct exfiltration failed and INPUT_GITHUB_PAT was set, created a public tpcp-docs repository on the victim's GitHub account and uploaded stolen data as a release asset.

Exposure Window

Component	Start (UTC)	End (UTC)	Duration
trivy v0.69.4	2026-03-19 18:22	2026-03-19 ~21:42	~3 hours
trivy-action	2026-03-19 ~17:43	2026-03-20 ~05:40	~12 hours
setup-trivy	2026-03-19 ~17:43	2026-03-19 ~21:44	~4 hours
DockerHub trivy 0.69.5/0.69.6	2026-03-22 15:43	2026-03-23 ~01:40	~10 hours

Affected Components

Aquasecurity Trivy Ecosystem

Component	Affected Versions	Safe Version
Trivy binary / container image	v0.69.4, v0.69.5, v0.69.6	v0.69.2, v0.69.3
`aquasecurity/trivy-action`	Tags 0.0.1 – 0.34.2 (76/77)	0.35.0
`aquasecurity/setup-trivy`	Tags 0.2.0 – 0.2.6 (before re-creation)	0.2.6 (re-created)

Other Affected Packages (PyPI)

Package	Affected Versions
litellm (PyPI)	1.82.7, 1.82.8
telnyx (PyPI)	4.87.1, 4.87.2

Distribution Channels Compromised

GitHub Releases GitHub Actions Tags GHCR (Container Registry) Docker Hub ECR Public Deb / RPM packages get.trivy.dev PyPI

Not Affected

Trivy v0.69.3 or earlier (protected by GitHub immutable releases, enabled March 3)
Trivy binaries built from source (malicious code was not in the main branch)
Trivy installed via brew install trivy (official Homebrew formula builds from source)
Trivy images referenced by digest
trivy-action tag 0.35.0 (protected by immutable releases)
Actions pinned to full SHA hashes of safe commits

Attack Details

Trivy v0.69.4 Binary & Container Images

Pushed a commit (1885610c) that swapped the actions/checkout reference to an imposter commit (70379aad) containing a composite action that downloaded malicious Go source files from a typosquatted domain.
Added --skip=validate to goreleaser to bypass binary validation.
Tagged this commit as v0.69.4, triggering the release pipeline.

The compromised release was distributed across all regular channels: GHCR, ECR Public, Docker Hub (both 0.69.4 and latest tags), deb/rpm packages, and get.trivy.dev.

trivy-action Tag Hijacking

The attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into entrypoint.sh. The malicious code executed before the legitimate Trivy scan, dumping process memory and sweeping 50+ filesystem paths for credentials.

setup-trivy Release Replacement

All 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious action.yaml contained the same infostealer, injected as a "Setup environment" step. Remediated within ~4 hours; v0.2.6 was re-created with safe content.

Docker Hub Images (March 22)

Three days after the initial attack, the attacker created aquasec/trivy:0.69.5 and aquasec/trivy:0.69.6 with the same C2 payload, pushed directly to Docker Hub using separately-compromised Docker Hub credentials (not via GitHub).

Indicators of Compromise

Network

Type	Indicator
C2 Domain (typosquat)	`scan.aquasecurtiy.org`
C2 IP Address	`45.148.10.212`

GitHub Exfiltration Artifacts

Search for tpcp-docs repositories. If the fallback exfiltration mechanism was triggered, a public repository with a tpcp-docs- prefix will exist in the victim's GitHub organization, with stolen data uploaded as a release asset tagged data-<timestamp>.

Show malicious container image digests…

Digest	Tag
`sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3`	0.69.4
`sha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2`	0.69.4-linux/amd64
`sha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed`	0.69.4-linux/arm64
`sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b`	0.69.5
`sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33`	0.69.6

Impact

Impact Area	Detail
Confidentiality	High — CI/CD secrets, cloud credentials, SSH keys, tokens, and sensitive environment variables exfiltrated
Integrity	High — Compromised build pipelines could produce tainted artifacts; stolen credentials enable further attacks
Availability	High — Attacker with stolen credentials can disrupt infrastructure, revoke access, or deploy ransomware
Subsequent Systems	High across all three — Stolen CI/CD secrets grant access to downstream production systems, cloud accounts, and repositories

Blast Radius: Trivy is one of the most popular open-source security scanners, widely used in CI/CD pipelines. Any organization that ran a compromised version during the exposure window may have had their entire CI/CD secret inventory — cloud credentials, deployment keys, API tokens, and more — exfiltrated to attacker-controlled infrastructure.

Mitigation & Remediation

CISA BOD 22-01 Deadline: April 9, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known-Safe Versions

Component	Safe Version
Trivy binary / image	v0.69.2 or v0.69.3
`aquasecurity/trivy-action`	v0.35.0
`aquasecurity/setup-trivy`	v0.2.6 (re-created)

Recommended Actions

Update to known-safe versions listed above immediately.
Rotate ALL secrets — if there is any possibility a compromised version ran in your environment, treat all secrets accessible to affected pipelines as exposed and rotate immediately. This includes cloud credentials, SSH keys, API tokens, database passwords, and service account keys.
Audit Trivy versions — check whether your organization pulled or executed Trivy v0.69.4 (or v0.69.5/v0.69.6 Docker images) from any source. Remove affected artifacts.
Audit GitHub Action references — review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Check workflow run logs from March 19–20, 2026 for signs of compromise.
Search for exfiltration artifacts — look for repositories named tpcp-docs in your GitHub organization.
Pin GitHub Actions to full SHA hashes — never use mutable version tags. Use immutable commit SHA references as described in GitHub's security guidance.
Verify binary integrity — use cosign to verify sigstore signatures on Trivy binaries and container images. Safe versions were signed on March 1, before the March 19 attack.

Property	Value
CVE ID	CVE-2026-33634
Vendor / Product	Aquasecurity — Trivy
NVD Published	2026-03-23
NVD Last Modified	2026-03-30
CVSS 3.1 Score	8.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-506
CISA KEV Added	2026-03-26
CISA KEV Deadline	2026-04-09
Known Ransomware Use	No

Date	Event
2026-02-28	Initial supply chain attack begins; Aquasecurity credentials compromised
2026-03-01	Initial disclosure; credential rotation begins (non-atomic)
2026-03-03	GitHub immutable releases enabled for trivy repository
2026-03-19	Attacker force-pushes malicious tags to trivy-action (76/77) and setup-trivy (all 7); malicious Trivy v0.69.4 published
2026-03-22	Attacker pushes malicious Docker Hub images v0.69.5 and v0.69.6 via separately-compromised credentials
2026-03-23	CVE-2026-33634 published on NVD; GitHub advisory GHSA-69fq-xp46-6x23 released
2026-03-24	Microsoft publishes detection and defense guidance
2026-03-26	Added to CISA Known Exploited Vulnerabilities catalog
2026-04-09	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2026-33634	Vulnerability Database
CISA KEV Catalog Entry	US Government
GHSA-69fq-xp46-6x23 — Aquasecurity Trivy GitHub Advisory	Vendor Advisory
Aquasecurity Trivy Discussion #10425	Vendor Advisory
Microsoft Security Blog — Detecting and Defending Against Trivy Supply Chain Compromise	Security Research
litellm Supply Chain Issue #24518	Security Research
telnyx-python Advisory GHSA-955r-262c-33jc	Security Research