Trivy ecosystem supply chain briefly compromised

(github.com)

57 points by batch122 days ago

8 comments

  • Shank5 hours ago
    This attack seems predicated on a prior security incident (<a href="https:&#x2F;&#x2F;socket.dev&#x2F;blog&#x2F;unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension" rel="nofollow">https:&#x2F;&#x2F;socket.dev&#x2F;blog&#x2F;unauthorized-ai-agent-execution-code...</a>) at Trivy where they failed to successfully remediate and contain the damage. I think at this time, Trivy should’ve undertaken a full reassessment of risks and clearly isolated credentials and reduced risk systemically. This did not happen, and the second compromise occurred.
    • NewJazz2 hours ago
      They did a lot of what you describe, although perhaps not well enough.
  • woodruffw3 hours ago
    I don’t think “briefly compromised” is accurate. The short span between this and the previous compromise of trivy suggests that the attacker was able to persist between their two periods of activity.
  • AdrienPoupa3 hours ago
    Don&#x27;t forget to pin your GitHub Actions to SHAs instead of tags, that may or may not be immutable!
    • woodruffw3 hours ago
      Frustratingly, hash pinning isn’t good enough here: that makes the action immutable, but the action itself can still make mutable decisions (like pulling the “latest” version of a binary from somewhere on the internet). That’s what trivy’s official action appears to do.<p>(IOW You definitely should still hash-pin actions, but doing so isn’t sufficient in all circumstances.)
      • AdrienPoupa1 hour ago
        That&#x27;s true. This specific attack was mitigated by hash pinning, but some actions like <a href="https:&#x2F;&#x2F;github.com&#x2F;1Password&#x2F;load-secrets-action" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;1Password&#x2F;load-secrets-action</a> default to using the latest version of an underlying dependency.
      • NewJazz2 hours ago
        I&#x27;m pretty sure the trivy action does not do that.
        • woodruffw1 hour ago
          FWICT, it pulls the latest version of trivy by default. If that latest tag is a mutable pointer (and it typically is), then it exhibits the problem.
          • NewJazz1 hour ago
            Then why do they hard code the trivy version and create PRs to bump it?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy-action&#x2F;blob&#x2F;57a97c7e7821a5776cebc9bb87c984fa69cba8f1&#x2F;action.yaml#L98" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy-action&#x2F;blob&#x2F;57a97c7e78...</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy-action&#x2F;pull&#x2F;519" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy-action&#x2F;pull&#x2F;519</a><p>Edit: ah, I see you are referring to the setup-trivy action rather than the trivy-action. Yeah, that looks like a bad default, although to be fair it is a setting that they document quite prominently, and direct usage of the setup-trivy action is a bit atypical as-is.
  • swq11544 minutes ago
    The irony of your vulnerability scanner being the vulnerability.
  • snailmailman6 hours ago
    Are the spam comments all from compromised accounts, presumably compromised due to this hack?<p>I only clicked on a handful of accounts but several of them have plausibly real looking profiles.
    • bakugo6 hours ago
      Some of them were likely already compromised before these incidents, here&#x27;s one of the accounts near the top making malicious commits to its own repository before the first hack:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Hancie123&#x2F;mero_hostel_backend&#x2F;commit&#x2F;4bcb683829ed40cd388814391c80bf6f2229c7d4" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Hancie123&#x2F;mero_hostel_backend&#x2F;commit&#x2F;4bcb...</a>
    • wswin5 hours ago
      what comments?
      • snailmailman4 hours ago
        Ah, I think the HN post was merged. My original comment was in response to this related github discussion: <a href="https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy&#x2F;discussions&#x2F;10420" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;aquasecurity&#x2F;trivy&#x2F;discussions&#x2F;10420</a><p>There are hundreds of automated spam comments there from presumably compromised accounts. The new OP is much more clear regarding what has happened.
  • RS-2325 hours ago
    Pretty ironic that the security tool is insecure
    • tptacek4 hours ago
      You must be new to this. The median line of code in a security tool is materially <i>less</i> secure than the median line of code overall in the industry.
      • CoderLuii2 hours ago
        this is painfully accurate. ive worked in security for years and the tools we trust the most get the least scrutiny because everyone assumes &quot;well its a security tool, it must be secure.&quot; the irony is these tools usually run with the highest privileges in the pipeline. trivy sits in CI with access to every secret in your environment and nobody questions it because its supposed to be the thing protecting you.
  • MilnerRoute6 hours ago
    Briefly?<p><i>&quot;Trivy Supply Chain Attack Spreads, Triggers Self-Spreading CanisterWorm Across 47 npm Packages&quot;</i><p><a href="https:&#x2F;&#x2F;it.slashdot.org&#x2F;story&#x2F;26&#x2F;03&#x2F;22&#x2F;0039257&#x2F;trivy-supply-chain-attack-spreads-triggers-self-spreading-canisterworm-across-47-npm-packages" rel="nofollow">https:&#x2F;&#x2F;it.slashdot.org&#x2F;story&#x2F;26&#x2F;03&#x2F;22&#x2F;0039257&#x2F;trivy-supply-...</a>
    • zach_vantio5 hours ago
      &quot;Briefly&quot; is doing a lot of work there. Pre-deploy scans are useless once a bad mutation is actually live. If you don&#x27;t have a way to auto-revert the infrastructure state instantly, you&#x27;re just watching the fire spread.
    • brightball4 hours ago
      Seriously. All credentials compromised that it can see. It&#x27;s active in CI&#x2F;CD pipelines and follow on attacks are happening.
  • robutsume6 hours ago
    [dead]