Trivy ecosystem supply chain briefly compromised
81 points by batch12 3 days ago | 30 comments
Shank 19 hours ago
This attack seems predicated on a prior security incident (https://socket.dev/blog/unauthorized-ai-agent-execution-code...) at Trivy where they failed to successfully remediate and contain the damage. I think at this time, Trivy should’ve undertaken a full reassessment of risks and clearly isolated credentials and reduced risk systemically. This did not happen, and the second compromise occurred.
replywoodruffw 18 hours ago
I don’t think “briefly compromised” is accurate. The short span between this and the previous compromise of trivy suggests that the attacker was able to persist between their two periods of activity.
replyfeross 7 hours ago
Lots more technical research about the actual attack and how it worked here: https://socket.dev/blog/trivy-under-attack-again-github-acti...
replyDisclosure: I’m the founder of Socket.
AdrienPoupa 18 hours ago
Don't forget to pin your GitHub Actions to SHAs instead of tags, that may or may not be immutable!
replywoodruffw 17 hours ago
Frustratingly, hash pinning isn’t good enough here: that makes the action immutable, but the action itself can still make mutable decisions (like pulling the “latest” version of a binary from somewhere on the internet). That’s what trivy’s official action appears to do.
reply(IOW You definitely should still hash-pin actions, but doing so isn’t sufficient in all circumstances.)
AdrienPoupa 16 hours ago
That's true. This specific attack was mitigated by hash pinning, but some actions like https://github.com/1Password/load-secrets-action default to using the latest version of an underlying dependency.
replycpuguy83 8 hours ago
This attack was not mitigated by hash pinning.
The setup-trivy action installs the latest version of trivy unless you specify a version.
replyAdrienPoupa 7 hours ago
Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.
replyNewJazz 17 hours ago
I'm pretty sure the trivy action does not do that.
replywoodruffw 16 hours ago
FWICT, it pulls the latest version of trivy by default. If that latest tag is a mutable pointer (and it typically is), then it exhibits the problem.
replyNewJazz 16 hours ago
Then why do they hard code the trivy version and create PRs to bump it?
replyhttps://github.com/aquasecurity/trivy-action/blob/57a97c7e78...
https://github.com/aquasecurity/trivy-action/pull/519
Edit: ah, I see you are referring to the setup-trivy action rather than the trivy-action. Yeah, that looks like a bad default, although to be fair it is a setting that they document quite prominently, and direct usage of the setup-trivy action is a bit atypical as-is.
swq115 15 hours ago
The irony of your vulnerability scanner being the vulnerability.
replyduckmysick 9 hours ago
> credential rotation was performed but was not atomic (not all credentials were revoked simultaneously).
replyHow do you simultaneously revoke all credentials of all your accounts spanning multiple services/machines/users?
snailmailman 21 hours ago
Are the spam comments all from compromised accounts, presumably compromised due to this hack?
replyI only clicked on a handful of accounts but several of them have plausibly real looking profiles.
bakugo 21 hours ago
Some of them were likely already compromised before these incidents, here's one of the accounts near the top making malicious commits to its own repository before the first hack:
replyhttps://github.com/Hancie123/mero_hostel_backend/commit/4bcb...
wswin 19 hours ago
what comments?
replysnailmailman 19 hours ago
Ah, I think the HN post was merged.
My original comment was in response to this related github discussion:
https://github.com/aquasecurity/trivy/discussions/10420
replyThere are hundreds of automated spam comments there from presumably compromised accounts. The new OP is much more clear regarding what has happened.
MilnerRoute 21 hours ago
Briefly?
reply"Trivy Supply Chain Attack Spreads, Triggers Self-Spreading CanisterWorm Across 47 npm Packages"
https://it.slashdot.org/story/26/03/22/0039257/trivy-supply-...
zach_vantio 19 hours ago
"Briefly" is doing a lot of work there. Pre-deploy scans are useless once a bad mutation is actually live. If you don't have a way to auto-revert the infrastructure state instantly, you're just watching the fire spread.
replybrightball 19 hours ago
Seriously. All credentials compromised that it can see. It's active in CI/CD pipelines and follow on attacks are happening.
reply4riel 13 hours ago
yeah, we keep learning the same lesson: the tool that audits your supply chain is the single best target for compromising it
replyRS-232 20 hours ago
Pretty ironic that the security tool is insecure
replytptacek 19 hours ago
You must be new to this. The median line of code in a security tool is materially less secure than the median line of code overall in the industry.
replyregularfry 14 hours ago
Similarly one of our biggest causes of power outages when I worked with a DC was the UPSes. And the biggest causes of data loss were the hardware RAID controllers. Feels like there's a fundamental law lurking under this stuff.
replysnackbroken 8 hours ago
As the complexity of a system increases, the number of single points of failure also tends to increase. Sometimes you can make sure that several subsystems need to fail before the whole system fails. Often, the best you can do is swap one SPoF (e.g. unreliable power grid) for another, more robust SPoF (unreliable UPS).
replyCoderLuii 16 hours ago
this is painfully accurate. ive worked in security for years and the tools we trust the most get the least scrutiny because everyone assumes "well its a security tool, it must be secure." the irony is these tools usually run with the highest privileges in the pipeline. trivy sits in CI with access to every secret in your environment and nobody questions it because its supposed to be the thing protecting you.
reply
Of course, every entity is ultimately accountable for its own security, including assigning a level of trust to any dependencies, so it’s ultimately no excuse, but getting hit by a supply chain attack does evoke a little more sympathy (“at least I did my bit right”), and I feel like the ambiguous wording of the title is trying to access some of that sympathy.