The U.S. Cybersecurity and Infrastructure Security Agency has added a critical Aquasecurity Trivy vulnerability to its Known Exploited Vulnerabilities catalog following a targeted supply chain attack.

Key points

• CISA added CVE-2026-33634, which carries a critical CVSS score of 9.3, to its Known Exploited Vulnerabilities catalog.
• Attackers compromised Trivy version 0.69.4 and associated GitHub Actions on March 19, 2026, to facilitate sensitive data theft.
• The breach originated from a supply chain attack that began in late February, allowing unauthorized access through improperly rotated credentials.
• Federal agencies must remediate the vulnerability by the April 9, 2026, deadline mandated by Binding Operational Directive 22-01.
• Security teams are advised to rotate all secrets, audit logs from March 19–20, and pin GitHub Actions to immutable commit hashes.

This incident highlights the significant risks posed by supply chain attacks on widely used security tools and the necessity of rigorous credential management. Organizations must act quickly to secure their infrastructure, as compromised binaries and actions can provide attackers with persistent access to sensitive environments.