Aqua Security's Trivy open source vulnerability scanner was compromised in a supply chain attack that began in late February, involving a GitHub Actions workflow issue, leading to the distribution of malicious versions of the application’s VS Code extensions and subsequent attacks on related packages. The attack, linked to the threat actor TeamPCP, is ongoing and has expanded to target the NPM ecosystem with CanisterWorm malware, prompting Trivy's maintainers to release clean versions and urge users to rotate credentials.
The most valuable insight for you is the critical importance of atomic credential rotation in supply chain security. The Aqua Security Trivy incident highlights a failure in this area, as credentials were not revoked simultaneously, allowing attackers to exploit a window to exfiltrate newly rotated secrets. As a professional in cybersecurity, ensuring atomic credential revocation can be an actionable measure to mitigate similar risks in your organization.