SAN FRANCISCO — Mandiant is responding to a major, ongoing supply-chain attack involving the compromise of Trivy, a widely used open-source tool from Aqua Security that’s designed to find vulnerabilities and misconfigurations in code repositories.
The fallout from the attack spree, which was first detected March 19, is extensive and poses substantial risk for follow-on compromises and threatening extortion attempts.
“We know over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,” Charles Carmakal, chief technology officer at Mandiant Consulting said during a threat briefing held in conjunction with the RSAC 2026 Conference. “That thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.”
Attackers stole a privileged access token and established a foothold in Trivy’s repository automation process by exploiting a misconfiguration in the tool’s GitHub Actions environment in late February, Aqua Security said in a blog post.
On March 1, the company tried to block an ongoing breach by changing its credentials. They later realized the attempt failed, which allowed the attacker to stay in the system using valid logins. Attackers published malicious releases of Trivy on March 19.
“While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply-chain attack that began weeks earlier,” Aqua Security said in the blog post.
By compromising the tool, attackers gained access to secrets for many organizations, Carmakal said. “There will likely be many other software packages, supply-chain attacks and a variety of other compromises as a result of what’s playing out right now.”
Mandiant expects widespread breach disclosures, follow-on attacks and a variety of downstream impacts to play out over the next several months.
The attackers, which the incident response firm has yet to name, are collaborating with multiple threat groups mostly based in the United States, Canada and United Kingdom. These cybercriminals “are known for being exceptionally aggressive with their extortion,” Carmakal said. “They’re very loud, they’re very aggressive.”
Mandiant is still working to identify the root of the initial attack. “We can’t quite tell how those credentials were stolen, because it is our belief that those credentials were not stolen from that victim’s environment,” Carmakal said.
The credentials were likely stolen from another cloud environment, a business process outsourcer, partner or the personal computer of an engineer, he added.
Aqua said Sygnia, which is investigating the attack and assisting in remediation efforts, identified additional suspicious activity Sunday involving unauthorized changes and repository changes — activity that is consistent with the attacker’s previously observed behavior.
“This development suggests that the incident is part of an ongoing and evolving attack, with the threat actor reestablishing access. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” the company said.
Aqua, in its latest update Tuesday, said it is continuing to revoke and rotate credentials across all environments and claimed there is still no indication its commercial products are affected.
Many attackers are currently weaponizing access and likely targeting additional victims, yielding to potential extortion attempts and the compromise of additional software, Carmakal said.
“It’s going to be a different outcome for a lot of different organizations,” he said. “This will be a very concentrated focus of the adversaries and their expansion group of partners that they’re collaborating with right now.”
Facts Only
Who: Mandiant, Aqua Security, attackers (not named)
What: Supply-chain attack on Trivy, breach, extortion attempts, investigation, revoking and rotating credentials
When: First detected March 19, misconfiguration in late February
Where: SaaS environments (over 1,000 impacted), likely other cloud environments, personal computers of engineers
Executive Summary
Full Take
By compromising Trivy, the attackers gained access to sensitive secrets for many organizations. The extortion wave following this incident poses substantial risk for follow-on compromises and threatening extortion attempts. The cybercriminals involved are known for their aggressive tactics, being loud and demanding. It is unclear how the credentials were stolen, but it's believed they were not stolen from the victim's environment. The incident highlights the vulnerability of supply chains in software development, and the potential for far-reaching impacts when a single tool used by many organizations is compromised.
Patterns detected: ARC-0043 Motte-and-Bailey (the article focuses on the threat but does not provide detailed information on how the attack was executed), ARC-0024 Ambiguity (the exact mechanism of the credentials theft remains unclear)
Sentinel — Human
This article appears to be written by a human journalist. The writing style, argumentative structure, and personal voice all indicate human authorship. However, there is always a possibility of AI involvement in the editing or formatting process.
