Aquasecurity/Trivy GitHub Repository and Homebrew Cask Compromised (again)

16 points by mmsc 59 days ago | 4 comments

mmsc 59 days ago |

The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).

Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.

man8alexd 59 days ago |

Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420

jl6 58 days ago |

Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?

man8alexd 58 days ago | |

Grype, Clair