Aquasecurity Trivy Supply Chain Attack: Embedded Malicious Code CVE-2026-33634

CVE-2026-33634 documents a supply chain attack against Aquasecurity Trivy, a popular open-source vulnerability scanner used to detect security issues in container images, file systems, and Git repositories. Malicious code was embedded in affected versions of Trivy, enabling attackers to execute arbitrary commands on systems where the compromised version is installed. This type of supply chain attack is particularly dangerous because security tools are often run with elevated privileges and have broad access to sensitive systems and credentials. The attack follows a pattern of targeting developer and security tooling to maximize impact across the software supply chain. CISA added this vulnerability to its KEV catalog on March 26, 2026, indicating active exploitation. Organizations using Trivy should immediately verify their installed version, update to the latest clean release, audit systems where compromised versions were run for signs of post-exploitation activity, and rotate any credentials that may have been exposed. Review CI/CD pipeline logs for anomalous behavior.