8.8 CVE-2026-33634

Enriched by CISA CISA Kev Catalog Exploit

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
https://nvd.nist.gov/vuln/detail/CVE-2026-33634

References

134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit

https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387 Issue Tracking Mitigation Third Party Advisory
https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-20... US Government Resource
https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigat... Technical Description

security-advisories@github.com Exploit

https://docs.litellm.ai/blog/security-update-march-2026 Third Party Advisory
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack Third Party Advisory
https://github.com/BerriAI/litellm/issues/24518 Issue Tracking Mitigation Third Party Advisory
https://github.com/aquasecurity/trivy/discussions/10425 Issue Tracking Vendor Advisory
https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23 Exploit Mitigation Vendor Advisory
https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-... Third Party Advisory
https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd... Broken Link
https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0... Broken Link
https://www.wiz.io/blog/teampcp-attack-kics-github-action Not Applicable

AFFECTED (from MITRE)

Vendor	Product	Versions
aquasecurity	setup-trivy	< 0.2.6 [affected]
aquasecurity	trivy-action	< 0.35.0 [affected]
aquasecurity	trivy	= 0.69.4 [affected]
BerriAI	LiteLLM	>= 1.82.7,
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:aquasec:setup-trivy::::::::		< 0.2.6
cpe:2.3:a:aquasec:trivy:0.69.4:::::go::
cpe:2.3:a:aquasec:trivy_action::::::::		< 0.35.0
Configuration 2
cpe:2.3:a:litellm:litellm:1.82.7:::::::*
cpe:2.3:a:litellm:litellm:1.82.8:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html
https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
442	Infected Software An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.	High
448	Embed Virus into DLL An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.	High
636	Hiding Malicious Data or Code within Files Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.	High

MITRE

Techniques

id	description
T1001.002	Data Obfuscation: Steganography
T1027.003	Obfuscated Files or Information: Steganography
T1027.004	Obfuscated Files or Information: Compile After Delivery
T1027.009	Obfuscated Files or Information: Embedded Payloads
T1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1195.002	Supply Chain Compromise: Compromise Software Supply Chain
T1218.001	Signed Binary Proxy Execution: Compiled HTML File
T1221	Template Injection
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1031	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
M1040	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.
M1016	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1016	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1021	Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files
M1017	Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee