Backdoored Trivy Scanner Fuels Supply‑Chain Worm in CI/CD Pipelines

The open‑source Trivy vulnerability scanner was compromised and a covert backdoor was added to its official binary releases and the accompanying GitHub Actions workflow files. Attackers leveraged the trusted distribution channel to inject malicious payloads that automatically executed when developers pulled the scanner or used the pre‑built CI actions, effectively turning a security tool into a delivery mechanism for the new CanisterWorm.

CanisterWorm propagates by harvesting CI/CD secrets that are not rotated promptly, using them to access downstream repositories, container registries, and cloud environments. In affected pipelines, the worm self‑replicates across multiple projects, exfiltrates credentials, and can deploy additional payloads, creating a cascade of supply‑chain compromises that bypass traditional perimeter defenses.

Defenders must treat third‑party build tools as high‑risk assets: verify signatures on binaries and workflow files, enforce strict secret‑rotation policies, and implement runtime integrity checks on CI runners. Continuous monitoring for unauthorized changes in trusted repositories and rapid revocation of compromised tokens are essential to stop similar supply‑chain attacks from gaining a foothold in your development ecosystem.

Categories: Vulnerabilities & Exploits, Malware & Ransomware, Threat Intelligence

Source: Read original article