Trivy 공급망 공격이 시크릿 매니저에서 자격 증명을 수집한 방법
Source: Hacker News
What happened
The anatomy of the attack
ENTRY POINT – Attacker compromises Trivy release
Exploits mutable Git tags and self‑declared commit identity to inject malware into the official v0.69.4 release binary.
PROPAGATION – GitHub Actions pick up the payload
Both trivy-action and setup-trivy GitHub Actions are simultaneously compromised. Millions of CI/CD pipelines now run malicious code.
EXFILTRATION – Credentials harvested from runtime environment
The malicious payload accesses plaintext API keys from environment variables—exactly where every secrets manager places them after retrieval. Keys are sent to the attacker’s C2 server.
WHERE VAULTPROOF BREAKS THE CHAIN – No plaintext key exists to steal
With VaultProof, the full API key never exists in the CI/CD environment. Only cryptographic shares are present—individually useless to an attacker. Nothing to harvest.
The blind spot
Why your secrets manager didn’t help
Every secrets manager available in March 2026—Vault, AWS Secrets Manager, Doppler, Infisical—follows the same retrieval model. You store the key encrypted; your CI/CD pipeline retrieves it via API at runtime, and the key becomes a plaintext environment variable that your tools can read.
They protect the key at rest—not in use.
# ci-pipeline.yml (simplified)
$ doppler run -- npm test
# Doppler retrieves OPENAI_API_KEY from vault...
# Sets it as environment variable...
export OPENAI_API_KEY=sk-proj-Ab3xK9mNpQ...
# ↑ Plaintext. In the environment.
# Every tool this pipeline runs can read it.
# Including a compromised Trivy binary.
Running tests...
Running Trivy scan...
OPENAI_API_KEY exfiltrated to 185.220.101.x
✓ Trivy scan passed (0 vulnerabilities found)The Trivy malware didn’t need to find a vulnerability; it simply read what was already there. Your secrets manager performed exactly as designed, yet the attacker still obtained the key.
The solution
What would have stopped this
The only complete defense against a supply‑chain attack targeting credentials is to ensure the credential never exists as plaintext in the environment.
VaultProof uses a split‑key architecture to divide API keys into cryptographic shares. Your CI/CD pipeline never sees the full key—only the shares. Even if a compromised tool reads every byte of the environment, it finds nothing useful.
🔑 Key Registration
Your API key is split into N shares and stored separately. Each share is individually useless.🛡️ Runtime Request
When your app needs to make an API call, the VaultProof proxy collects the shares, reconstructs the key in memory for only a few milliseconds.✓ Call Complete
The API call succeeds, then the reconstructed key is zeroed from memory. No plaintext key ever resides in your app environment.
If Trivy were running during this process, it would find nothing. There is no credential to harvest, breaking the attack model entirely.