Workflow runs in this repository executed a compromised version of aquasecurity/trivy-action that made outbound connections to a malicious domain (scan.aquasecurtiy.org).
Since these workflows use StepSecurity Harden-Runner, we were able to detect the malicious outbound connection and are reaching out to inform you.
Affected workflow runs:
What happened:
On March 19, 2026, aquasecurity/trivy-action was compromised with a credential stealer that reads GitHub Actions Runner worker memory to extract secrets and exfiltrates them to an attacker-controlled domain. For full details, see: https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
Recommended actions:
- Review the affected workflow runs to determine what secrets and credentials were accessible
- Rotate all secrets and tokens that the workflow had access to (GitHub tokens, cloud credentials, Docker registry tokens, etc.)
Workflow runs in this repository executed a compromised version of
aquasecurity/trivy-actionthat made outbound connections to a malicious domain (scan.aquasecurtiy.org).Since these workflows use StepSecurity Harden-Runner, we were able to detect the malicious outbound connection and are reaching out to inform you.
Affected workflow runs:
What happened:
On March 19, 2026,
aquasecurity/trivy-actionwas compromised with a credential stealer that reads GitHub Actions Runner worker memory to extract secrets and exfiltrates them to an attacker-controlled domain. For full details, see: https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-releaseRecommended actions: