CVE-2026-33634
Aquasecurity Trivy Embedded Malicious Code Vulnerability - [Actively Exploited]
Description
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.
INFO
Published Date :
March 23, 2026, 10:16 p.m.
Last Modified :
March 30, 2026, 6:50 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remediation. For more information, please see: https://github.com/advisories/GHSA-69fq-xp46-6x23 ; https://nvd.nist.gov/vuln/detail/CVE-2026-33634
Affected Products
The following products are affected by CVE-2026-33634
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update Trivy to a known safe version.
- Rotate all exposed secrets immediately.
- Pin GitHub Actions to commit SHAs.
- Review workflow logs for compromise signs.
Public PoC/Exploit Available at Github
CVE-2026-33634 has a 32 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-33634.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-33634 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-33634
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A practitioner-focused reference for AI/ML security — attacks, tools, research, and defenses. Covers offensive AI, securing AI systems, AI-assisted security operations, and governance.
Breach intelligence notes: structured YAML records of breach reports, advisories, and cyber incidents
Go Just HTML HCL CSS JavaScript Go Template Python Shell
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
ai-agent-security ai-agents ai-security awesome-list cybersecurity llm-security mcp-security prompt-injection supply-chain-security
A simple Proof of Concept to demonstrate and provide a high level understanding of how the trivy compromise happened.
Shell
None
Replay TeamPCP's supply chain kill chain: CI/CD compromise → AWS post-exploitation. Hands-on lab with real AWS infrastructure.
aws-security cloud-security ctf devsecops ecs github-actions security supply-chain-security terraform vulnerable-by-design
Makefile Dockerfile Python HCL Shell
This is the IaC of my homelab setup
Shell Python HCL
None
Python
2026년 3월에 발생한 공급망 공격들을 정리합니다.
axios checkmarx litellm supply-chain supply-chain-security telnyx trivy
None
Shell
This is the mock design for the CandleKeep Security Blog for Sentinel Blue
HTML
A small GitHub page to visualize supply-chain attacks in the software distribution ecosystem
HTML
Companion source for YouTube video "Stop Mounting docker.sock — Run Trivy Without Giving Away Root Access — (inspired by CVE-2026-33634)"
docker-engine-api docker-socket trivy-scan cve-2026-33634 trivy-docker-scan trivy-docker-scan-safely
Dockerfile TypeScript CSS JavaScript
**Scanner automatizado para la detección de indicadores de compromiso (IOCs) asociados al ataque a la cadena de suministro TeamPCP (CVE-2026-33634)**
Python
TeamPCP Detection
HTML
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-33634 vulnerability anywhere in the article.
-
The Hacker News
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "O ... Read more
-
Help Net Security
Software supply chain hacks trigger wave of intrusions, data theft
After linking the Axios npm supply chain attack to North Korean hackers, Google researchers warned that “hundreds of thousands of stolen secrets could potentially be circulating” as a result of this a ... Read more
-
Help Net Security
Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)
A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient Endpoint Management Server (EMS), a management server for FortiClient endpoint agents on various platforms, is under act ... Read more
-
CybersecurityNews
TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform
Databricks is currently investigating an alleged security compromise connected to the massive TeamPCP software supply chain attack after being alerted by threat intelligence researchers. According to ... Read more
-
Daily CyberSecurity
The CVE Watchtower: Weekly Threat Intelligence Briefing (March 23 – March 29, 2026)
Whether you are steering the organizational ship as a CISO or maintaining the operational engines as a system administrator, cutting through the noise of weekly vulnerabilities is essential to keeping ... Read more
-
Help Net Security
Week in review: NIST updates DNS security guidance, compromised LiteLLM PyPI packages
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: NIST updates its DNS security guidance for the first time in over a decade DNS infrastructure underpin ... Read more
-
Help Net Security
Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)
A critical unauthenticated remote code execution vulnerability (CVE-2025-53521) in F5’s BIG-IP Access Policy Manager (APM) solution is under active exploitation, the US Cybersecurity and Infrastructur ... Read more
-
CybersecurityNews
CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog
CISA has officially added a critical vulnerability affecting Aquasecurity’s Trivy scanner to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2026-33634, this alarming security flaw p ... Read more
-
The Hacker News
TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data. Th ... Read more
-
TheCyberThrone
CISA adds Langflow and Trivy bugs to KEV Catalog
Langflow Code Injection Flaw Actively Exploited — CVE-2026-33017CISA has added a critical code injection vulnerability in Langflow to its Known Exploited Vulnerabilities catalog, confirming active exp ... Read more
-
CybersecurityNews
Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack
The official Telnyx Python SDK on PyPI was compromised this morning as part of an escalating, weeks-long supply chain campaign orchestrated by the threat actor group TeamPCP. Malicious versions 4.87.1 ... Read more
-
Kaspersky
Trojanization of Trivy, Checkmarx, and LiteLLM solutions | Kaspersky official blog
Millions of automated software development pipelines rely on security tools, such as Trivy and Checkmarx AST, integrated into the build process. It is precisely these trusted solutions recently became ... Read more
-
The Hacker News
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercriminal operation also behind the T ... Read more
The following table lists the changes that have been made to the
CVE-2026-33634 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Mar. 30, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:telnyx:telnyx:4.87.1:*:*:*:*:python:*:* *cpe:2.3:a:telnyx:telnyx:4.87.2:*:*:*:*:python:*:* Added Reference Type GitHub, Inc.: https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc Types: Third Party Advisory -
CVE Modified by [email protected]
Mar. 30, 2026
Action Type Old Value New Value Added Reference https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc -
Modified Analysis by [email protected]
Mar. 27, 2026
Action Type Old Value New Value Added Reference Type GitHub, Inc.: https://docs.litellm.ai/blog/security-update-march-2026 Types: Third Party Advisory -
CVE Modified by [email protected]
Mar. 27, 2026
Action Type Old Value New Value Added Reference https://docs.litellm.ai/blog/security-update-march-2026 -
Initial Analysis by [email protected]
Mar. 26, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:aquasec:setup-trivy:*:*:*:*:*:*:*:* versions up to (excluding) 0.2.6 *cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:* versions up to (excluding) 0.35.0 *cpe:2.3:a:aquasec:trivy:0.69.4:*:*:*:*:go:*:* Added CPE Configuration OR *cpe:2.3:a:litellm:litellm:1.82.7:*:*:*:*:*:*:* *cpe:2.3:a:litellm:litellm:1.82.8:*:*:*:*:*:*:* Added Reference Type GitHub, Inc.: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack Types: Third Party Advisory Added Reference Type GitHub, Inc.: https://github.com/aquasecurity/trivy/discussions/10425 Types: Issue Tracking, Vendor Advisory Added Reference Type GitHub, Inc.: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23 Types: Exploit, Mitigation, Vendor Advisory Added Reference Type GitHub, Inc.: https://github.com/BerriAI/litellm/issues/24518 Types: Issue Tracking, Mitigation, Third Party Advisory Added Reference Type GitHub, Inc.: https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml Types: Third Party Advisory Added Reference Type GitHub, Inc.: https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130 Types: Broken Link Added Reference Type CISA-ADP: https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387 Types: Issue Tracking, Mitigation, Third Party Advisory Added Reference Type GitHub, Inc.: https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1 Types: Broken Link Added Reference Type GitHub, Inc.: https://www.wiz.io/blog/teampcp-attack-kics-github-action Types: Not Applicable Added Reference Type CISA-ADP: https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html Types: Exploit, Third Party Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634 Types: US Government Resource Added Reference Type CISA-ADP: https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/ Types: Technical Description -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 26, 2026
Action Type Old Value New Value Added Reference https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387 Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634 Added Reference https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/ -
CVE Modified by [email protected]
Mar. 25, 2026
Action Type Old Value New Value Added Reference https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack Added Reference https://github.com/BerriAI/litellm/issues/24518 Added Reference https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml Added Reference https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130 Added Reference https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1 Added Reference https://www.wiz.io/blog/teampcp-attack-kics-github-action -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 25, 2026
Action Type Old Value New Value Added Reference https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html -
New CVE Received by [email protected]
Mar. 23, 2026
Action Type Old Value New Value Added Description Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-506 Added Reference https://github.com/aquasecurity/trivy/discussions/10425 Added Reference https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23