In March 2026, attackers compromised Trivy - one of the most popular open-source vulnerability scanners - through its GitHub Action. They force-pushed 75 of 76 version tags to malicious commits. AWS credentials, GCP tokens, SSH keys - stolen from every workflow that ran the compromised action. Within five days, the attack cascaded to Docker Hub, VS Code extensions, and PyPI (CVE-2026-33634, CVSS 9.4).
Most teams heard about this in isolation. It wasn't isolated.
I traced the full chain back 16 months - from a Personal Access Token accidentally committed in a SpotBugs workflow (November 2024), through the tj-actions/changed-files mass compromise targeting Coinbase (March 2025, CVE-2025-30066), the AI-augmented Nx/s1ngularity attack (August 2025), and the GhostAction campaign that stole 3,325 secrets from 817 repositories (September 2025) - all the way to the Trivy/TeamPCP attack and the concurrent prt-scan campaign using AI-generated payloads.
The pattern is clear: the pipeline is not the target - your AWS account is.
Every one of these attacks specifically went after cloud credentials. The Trivy payload queried the AWS Instance Metadata Service at 169.254.169.254 and the ECS task metadata endpoint at 169.254.170.2. It wasn't looking for GitHub tokens.
SHA pinning would have stopped the Trivy attack. But SHA pinning is step 1 of 12.
In the full article, I cover:
- A complete timeline of CI/CD supply chain attacks from November 2024 to March 2026
- 12 concrete hardening steps with copy-paste YAML and Terraform code - from SHA pinning and OIDC setup to egress monitoring with StepSecurity Harden-Runner
- A prevention matrix showing which step would have stopped which attack
- What GitHub is building next - the 2026 Actions Security Roadmap (dependency locking, native egress firewall, immutable actions)
Read the full article with all 12 steps, code examples, and sources
Originally published at haitmg.pl.
Top comments (0)