External risk intelligence
Trivy could allow external attackers to steal sensitive CI/CD environment secrets.
The Trivy security scanner is currently experiencing a confirmed active supply chain attack. This could allow external attackers to steal information, potentially exposing your cloud credentials, database passwords, and SSH keys stored within automated build systems.
CVE-2026-33634
Exposure facts
H – Horizon Alert
A security incident has been identified regarding the Trivy security scanner and its associated automation tools, where a threat actor compromised credentials to distribute unauthorized, malicious code through the vendor's official release channels. This supply chain attack is significant because these compromised tools were designed to harvest sensitive information from the environments where they are utilized. Consequently, using these affected components could potentially grant an unauthorized party access to internal secrets, cloud credentials, and other sensitive data managed within your automated pipelines.
A – Asset Exposure
This incident impacts development environments and automated CI/CD pipelines that rely on the affected security scanning tools and specific integration workflows. Because these tools operate within your build environment, this exposure could allow unauthorized access to critical secrets and infrastructure controls. Specifically, your cloud credentials, SSH keys, database passwords, and other sensitive configuration data utilized in these pipelines may be accessible to malicious actors. This presents a significant risk to the integrity of your software delivery process and the broader security of your internal systems.
L – Live Threat
This situation involves confirmed active exploitation stemming from a supply chain attack where a threat actor gained unauthorized access to official project repositories to distribute malicious code. Because this incident involves the active manipulation of software delivery channels, it has been formally added to the CISA Known Exploited Vulnerabilities catalog. This designation confirms that the threat is not theoretical and represents a high-priority security signal for organizations relying on these automated tools.
O – Operational Fix
Please conduct an immediate review of your development pipelines to determine if any compromised Trivy components were recently utilized. If usage is confirmed, you must rotate all secrets accessible to those environments, as they should be considered exposed. Audit your workflows for any unauthorized artifacts or specific repository names as outlined in the vendor’s security advisories. Finally, we recommend pinning all GitHub Actions to full, immutable commit SHAs moving forward to enhance the security and integrity of your automation.
References
- https://docs.litellm.ai/blog/security-update-march-2026
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack
- https://github.com/BerriAI/litellm/issues/24518
- https://github.com/aquasecurity/trivy/discussions/10425
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
- https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml
- https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc
- https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130
- https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1
- https://www.wiz.io/blog/teampcp-attack-kics-github-action
- https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387
- https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html