Trivy Security incident 2026-03-19

The internet’s favorite “checks-your-stuff” tool, Trivy, just had a soap‑opera week. Hackers used a stolen login to push bad updates to Trivy and its automation helpers, sneaking into people’s build pipelines—the behind‑the‑scenes machines that assemble apps. The team admits their earlier cleanup wasn’t airtight and is now locking everything down, yanking the bad releases, and telling folks to stick to safe versions (v0.69.3 for Trivy, v0.35.0 for trivy‑action, v0.2.6 for setup‑trivy). They also want you to block a hacker command center (“C2”) at scan[.]aquasecurtiy[.]org and IP 45.148.10.212.

But the real show is in the comments. One longtime fan is fuming: “This is embarrassing… I don’t expect my security tools to introduce back doors.” Others are asking how you recommend a security product that just slipped malware into the line. Over on Hacker News, a thread tried to get traction and sputtered (link), prompting snark that even outrage has release management issues. The hot takes are split: some applaud fast fixes and transparency; others say “you had one job.” Memes landed hard: “Trivy checking Trivy into rehab,” “Rotate secrets like laundry day,” and “CI pipelines turning into spy thrillers.” It’s a trust hangover with a side of popcorn—devs are updating, blocking domains, and debating whether this is a forgivable stumble or a deal‑breaker for a tool meant to keep everyone safe.