Skip to main content
Back to Blog

Blog

Your Security Scanner Just Got Hacked. The Supply Chain Problem Nobody Wants to Talk About.

Trivy — the vulnerability scanner running in millions of CI pipelines — was compromised yesterday. 75 out of 76 version tags were force-pushed to include credential-stealing malware. Meanwhile, hundreds of MCP servers are being systematically forked and republished under fake registries. The supply chain attack surface is growing faster than the defenses.

Nick Stocks|March 21, 2026
supply-chainmcp-securityci-cdtrivyai-agents
Your Security Scanner Just Got Hacked. The Supply Chain Problem Nobody Wants to Talk About.

On March 20, 2026, attackers compromised Aqua Security's Trivy — the open-source vulnerability scanner that runs in millions of CI/CD pipelines worldwide. They force-pushed 75 out of 76 trivy-action version tags to include custom malware that harvests GitHub tokens, cloud credentials, SSH keys, and Kubernetes secrets from every pipeline that runs a scan.

Read that again. The tool you use to find vulnerabilities became the vulnerability.

What Actually Happened

The attack didn't use a traditional commit-based approach. The threat actors — self-identified as "Team PCP" — used stolen credentials to force-push malicious tags without creating visible commits, releases, or pull requests. This meant the compromise flew under the radar of most conventional defenses.

Here's the attack chain:

  1. Credential theft — likely from an earlier compromise of the Trivy VS Code extension in February
  2. Tag manipulation — 75 of 76 trivy-action tags force-pushed to reference a malicious tree
  3. Payload delivery — any CI/CD pipeline referencing compromised tags (including widely-used @0.34.2, @0.33, @0.18.0) executed credential-stealing code
  4. Exfiltration — stolen secrets sent to scan.aquasecurtiy[.]org (note the typosquat), a domain resolving to attacker infrastructure
  5. Lateral movement — the attackers used harvested credentials to compromise additional Aqua repositories, stealing GPG keys and credentials for Docker Hub

The technique is worth studying. By manipulating tags rather than pushing new commits, the attackers bypassed change detection that most teams rely on. Your CI pipeline pins [email protected] thinking that's safe. It was — until the tag was silently redirected to malicious code.

This Isn't Just a Trivy Problem

Three days before the Trivy compromise, a developer named Uwe Chalas raised an alarm on the official MCP servers repository. An organization called iflow-mcp had been systematically forking hundreds of MCP servers on GitHub, republishing them under their own npm scope (@iflow-mcp/) and on PyPI, and distributing them through their own marketplace.

The familiar name of the original project made users trust the fork. But an MCP server isn't a harmless plugin — by design, it has deep access to your filesystem, can read source code, execute commands, and communicate directly with your AI agent via stdio. A trojanized MCP server could exfiltrate data while appearing to work normally.

This is a pattern, not an isolated incident:

  • September 2025: A fake postmark-mcp npm package silently BCC'd every outgoing email to an attacker-controlled address. 1,643 downloads before detection.
  • October 2025: Smithery's path traversal vulnerability exposed a Fly.io token with access to 3,243 MCP server deployments and thousands of API keys.
  • February 2026: Kaspersky's GERT team published a detailed proof-of-concept showing how a trojanized MCP server advertised as a "productivity tool" could harvest secrets while functioning normally.
  • March 2026: The iflow-mcp mass-forking operation — hundreds of legitimate MCP servers cloned and republished under a different scope.

Why MCP Makes Supply Chain Attacks Worse

Traditional supply chain attacks on npm or PyPI packages are bad. MCP supply chain attacks are worse, for three specific reasons:

1. MCP servers are designed to have broad access. An npm package that reads your filesystem is suspicious. An MCP server that reads your filesystem is doing its job. The permission model that makes MCP useful is the same one that makes a compromised MCP server devastating.

2. AI agents don't verify sources. When Claude, ChatGPT, or Cursor connects to an MCP server, the agent trusts the tool metadata at face value. If a forked MCP server changes a tool description to include hidden instructions, the agent may follow them. This isn't a theoretical risk — tool poisoning attacks have been demonstrated against real MCP deployments since April 2025.

3. The registry ecosystem has no meaningful vetting. There is no code signing, no verified publisher program, no integrity checks on tool definitions between versions. The MCP registry is where npm was in 2015 — before the event-stream incident taught the JavaScript ecosystem that trust without verification doesn't scale.

What This Means for Your Pipeline

If you use Trivy in CI/CD, Aqua's maintainer Itay Shakury has confirmed the compromise and published remediation steps. The immediate action is to pin to @0.35.0 (the only uncompromised tag) or switch to commit SHA references instead of tags.

But the broader lesson applies to every tool in your pipeline — including MCP servers:

Pin by commit SHA, not tag or version. Tags are mutable. Versions can be republished. Commit SHAs are immutable. This is the single most effective defense against tag-manipulation attacks.

Audit your MCP server sources. Check every MCP server in your configuration. Is it from the original publisher? Is the npm scope correct? Is the GitHub repo a fork? The @iflow-mcp pattern works because developers don't check.

Monitor for configuration drift. If an MCP server's tool definitions change between sessions — different parameter names, different descriptions, new tools you didn't install — that's a signal. At mistaike, every tool call passes through DLP scanning that catches unexpected data exfiltration patterns, regardless of which server initiated it.

Treat your security tools as attack surface. Trivy was compromised because it was trusted implicitly. The more trust a tool has, the more valuable it is to an attacker. Your vulnerability scanner, your MCP gateway, your secret manager — these are high-value targets precisely because they have privileged access.

The Uncomfortable Truth

We keep building security tools and then treating them as exempt from the threat model they're supposed to defend against. Trivy scans for vulnerabilities but wasn't scanning itself for tag manipulation. MCP servers enforce tool policies but don't verify their own integrity. CI/CD pipelines run security checks but don't check the security of the checks.

The supply chain problem isn't going to be solved by adding another tool to the pipeline. It requires a fundamental shift in how we think about trust in developer infrastructure. Every dependency is an attack surface. Every integration is a trust boundary. Every tool with privileged access is a target.

The Trivy compromise will likely be contained without mass casualties — the attack was detected relatively quickly and Aqua responded. But the technique is out there now. Tag manipulation attacks against GitHub Actions are cheaper and stealthier than traditional supply chain poisoning. And the MCP ecosystem, with its hundreds of unvetted servers and no integrity verification, is a target-rich environment.

The question isn't whether the next supply chain attack will hit the AI tooling ecosystem. It's whether you'll notice when it does.

All posts