Aquasecurity/Trivy GitHub Repository and Homebrew Cask Compromised (again)
opensourcemalware.comThe offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).
Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
More details here: https://www.stepsecurity.io/blog/trivy-compromised-a-second-...
Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420
Any recommendations for Trivy alternatives to use while Aqua rebuilds their reputation?
Grype, Clair