Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don’t rotate their secrets immediately. The attack, disclosed by Trivy maintainers today, results from an earlier compromise announced late last month that also leveraged insecure GitHub Actions and impacted multiple projects. Security firms Socket and Wiz traced the root cause to an incomplete credential rotation after the first breach, allowing the attackers to return to Trivy’s e...