Yesterday, aquasecurity/trivy-action got compromised again. Attackers force-pushed 75 out of 76 version tags to inject a full credential stealer that scrapes runner memory, harvests secrets across 17 categories, and exfiltrates everything encrypted to a typosquatted domain.
I pulled the malicious payload apart and documented every step, from process discovery to AES+RSA encrypted exfiltration.
Full write-up here: https://www.abgeo.dev/blog/trivy-github-actions-compromised-full-payload-analysis/
Top comments (0)