This notice is not related to the CircleCI product. We are sharing this as a courtesy to help our customers avoid compromise and follow security best practices.
We’ve been made aware of an ongoing compromise affecting Trivy, the popular open-source vulnerability scanner. On March 19, 2026, a malicious release (v0.69.4) was published to the Trivy Github repository. Binaries from this release contained credential-exfiltration malware - code that phones home to an attacker-controlled domain. The compromised release has since been removed by Trivy maintainers.
Additional information can be found in this write-up from StepSecurity:
What we observed
While assisting a customer with their investigation into suspicious activity, we identified a case where a compromised Trivy v0.69.4 binary was fetched and executed during a CI build. The malicious binary exfiltrated a temporary OIDC-based AWS credential pair from the build environment, which was then used by an unauthorized party to access AWS resources.
What this means for you
If your CI/CD pipelines use Trivy at build time (e.g. from Github releases, Homebrew, or Dockerhub), and any build ran between approximately 17:43 UTC and 23:13 UTC on March 19, 2026, you may have executed the compromised binary. Any secret or token accessible in that build environment should be considered potentially exposed.
Recommended actions
- Rotate all tokens, credentials, and secrets that were present in any build environment where Trivy 0.69.4 may have been installed or running. This includes CI/CD tokens, cloud provider credentials, and any secrets injected via contexts or environment variables.
- Pin your Trivy installation to a verified version (v0.69.3 or a forthcoming patched release) and validate the binary checksum before execution.
- Look out for malicious activities in all audit logs; review your cloud audit logs (e.g AWS CloudTrail) for any unexpected activity from roles or credentials used in your CI pipelines
- Review our guide on token rotation best practices: https://support.circleci.com/hc/en-us/articles/11858740696219-Best-Practices-of-API-Token-Rotation
If you have further questions, please work with the Technical Success Manager from your account team, or visit support.circleci.com for more guides.