Aquasecurity Trivy Supply Chain Compromise CVE-2026-33634 Exposes CI/CD Credentials

CVE-2026-33634 is a supply chain compromise in Aquasecurity Trivy with embedded malicious code (CWE-506). Actively exploited.

Affected Products: Aquasecurity Trivy affected versions. Organizations using Trivy in CI/CD pipelines are at highest risk.

Exploitation Status: Actively exploited. Credentials harvested from CI/CD environments used in confirmed Cisco breach.

Recommended Mitigations: (1) Audit all Trivy installations and check version integrity. (2) Rotate all credentials exposed in CI/CD environments. (3) Review CI/CD pipeline logs for unauthorized access. (4) Apply vendor patches per CISA KEV guidance.