Trivy
An open-source vulnerability scanner published by Aqua Security; its supply-chain compromise via CVE-2026-33634 in March 2026 allowed UNC6780 to steal credentials accessing Cisco GitHub repositories.
Last refreshed: 20 May 2026 · Appears in 1 active topic
If Trivy holds credentials for every pipeline it scans, is every Trivy user a downstream target?
Timeline for Trivy
UNC6780 takes Cisco AI Defense source code
Cybersecurity: Threats and Defences- What is Trivy and how was it hacked?
- Trivy is a widely used open-source security scanner from Aqua Security. In March 2026 a supply-chain vulnerability (CVE-2026-33634) let UNC6780 compromise Trivy's pipeline integrations, harvesting the developer credentials of every project Trivy audited. Those credentials were then used to steal source code from over 300 Cisco GitHub repositories.Source: GTIG / SANS ISC
- How did a Trivy vulnerability lead to the Cisco hack?
- Trivy holds or processes CI/CD pipeline credentials as part of its scanning function. When UNC6780 exploited CVE-2026-33634 in March 2026, the SANDCLOCK credential stealer harvested GitHub tokens from Trivy's pipeline access. Those tokens gave UNC6780 direct access to clone Cisco's private code repositories.Source: GTIG / SANS ISC
- Should I stop using Trivy after the supply-chain attack?
- Aqua Security has not published a scope assessment specific to which Trivy pipeline integrations were affected by CVE-2026-33634. Users should verify they are running a patched version, rotate any credentials Trivy has access to in their CI/CD pipelines, and audit GitHub tokens for unexpected access.Source: SANS ISC
Background
Trivy is an open-source vulnerability and configuration scanner published by Aqua Security. It scans container images, filesystems, and code repositories for known CVEs, misconfigurations, and secrets, and is widely deployed in enterprise and cloud-native CI/CD pipelines as a standard security gate. Its position in CI/CD pipelines means Trivy typically holds or processes the credentials, tokens, and secrets used by the pipelines it audits.
In March 2026 a supply-chain vulnerability in Trivy, designated CVE-2026-33634, allowed UNC6780 (TeamPCP) to compromise Trivy's pipeline integrations and harvest the GitHub tokens and AWS keys of downstream pipeline users. Those credentials were exfiltrated via the SANDCLOCK credential stealer and subsequently used to clone over 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. Trivy's role as a Universal scanner made it a force-multiplier target: one compromise of the scanner yielded credentials across all projects that trusted it.
The Trivy incident illustrates the structural concentration risk of Universal CI/CD tooling. Unlike targeted developer endpoint attacks, compromising a scanner that audits hundreds of pipelines yields credentials across all of them. For the open-source security community, it raises the question of whether open-source security tooling itself requires the kind of supply-chain security controls, Software Bills of Materials, signed releases, and mandatory security audits, that it is designed to enforce on other software.
