Security readout for executives and security teams
Plain-English summary
This was a confirmed supply-chain compromise affecting Trivy releases and related GitHub Actions. Malicious versions could steal secrets from CI/CD environments. If your organization ran the affected Trivy binary, container image, or Aqua Security actions during the March 19–20 window, treat accessible pipeline secrets as exposed.
Executive priority
Treat this as an urgent CI/CD incident response item, not routine patching. Prioritize organizations using Trivy in automated pipelines because stolen build secrets can enable broader compromise across source code, cloud, and deployment systems.
Technical view
A compromised credential enabled publication of malicious Trivy v0.69.4, force-pushed tags for aquasecurity/trivy-action versions 0.0.1–0.34.2, and replaced setup-trivy tags 0.2.0–0.2.6 before safe recreation. Sources also list LiteLLM 1.82.7–1.82.8 and telnyx-python 4.87.1–4.87.2 advisories connected to the broader campaign.
Likely exposure
Exposure is most likely in GitHub Actions or build systems that referenced mutable Aqua Security tags, pulled Trivy v0.69.4, or used affected related packages. The highest risk is theft of repository, cloud, package registry, and deployment secrets available to those workflows.
Exploitation context
This is not just a theoretical flaw; the source bundle describes a real malicious release and tag replacement incident. CISA KEV is listed as false, so do not treat it as KEV-confirmed exploitation. The practical concern is whether compromised components executed in your environment.
Researcher notes
Evidence indicates credential rotation after an earlier disclosure was not atomic, allowing possible continued attacker access. The affected surface includes mutable GitHub Action tags and a malicious Trivy release. Avoid assuming safety based only on version tags; validate commit references, execution history, and secret exposure paths.
Mitigation direction
- Remove Trivy v0.69.4 and affected artifacts from caches, registries, and build images.
- Move trivy-action to version 0.35.0 or vendor-designated safe guidance.
- Use Trivy binary versions 0.69.2 or 0.69.3 where applicable.
- Use setup-trivy 0.2.6 only after confirming it references the recreated safe commit.
- Rotate all secrets accessible to affected workflows if compromise is possible.
- Pin GitHub Actions to full immutable commit SHAs, not mutable version tags.
Validation and detection
- Inventory workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy.
- Check whether Trivy v0.69.4 was pulled or executed from any source.
- Review March 19–20, 2026 workflow logs for affected tag usage.
- Search GitHub organizations for repositories named tpcp-docs.
- Check package inventories for LiteLLM 1.82.7–1.82.8 and telnyx-python 4.87.1–4.87.2.
- Review vendor advisories for any updated indicators, safe versions, or additional scope.
Public sources used
Michael Williams reviewed this cited source version on .
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-506: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCredential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupContainer behavior lookup
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2026-33634 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.4 (4.0)
- Known Exploited
- Yes
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.4CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Source materials
- CVE List V5 sourceCVE List V5
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23CVE reference · x_refsource_CONFIRM
- https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jcCVE reference · x_refsource_MISC
- https://github.com/BerriAI/litellm/issues/24518CVE reference · x_refsource_MISC, third-party-advisory
- https://docs.litellm.ai/blog/security-update-march-2026CVE reference · x_refsource_MISC
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attackCVE reference · x_refsource_MISC
- https://github.com/aquasecurity/trivy/discussions/10425CVE reference · x_refsource_MISC
- https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yamlCVE reference · x_refsource_MISC
- https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130CVE reference · x_refsource_MISC
- https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1CVE reference · x_refsource_MISC
- https://www.wiz.io/blog/teampcp-attack-kics-github-actionCVE reference · x_refsource_MISC
- https://rosesecurity.dev/2026/03/20/typosquatting-trivy.htmlCVE reference · exploit
- https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/CVE reference · third-party-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Embedded Malicious Code
Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
