Experts warn of a \u2018loud and aggressive\u2019 extortion wave following Trivy hack | CyberScoop<\/title> <meta name=\"description\" content=\"Attackers compromised the open-source security tool and published malicious versions of the software. Mandiant warns the fallout could impact up to 10,000 downstream victims.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/trivy-supply-chain-attack-aqua-downstream-extortion-fallout\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Experts warn of a \u2018loud and aggressive\u2019 extortion wave following Trivy hack\"> <meta property=\"og:description\" content=\"Attackers compromised the open-source security tool and published malicious versions of the software. Mandiant warns the fallout could impact up to 10,000 downstream victims.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/trivy-supply-chain-attack-aqua-downstream-extortion-fallout\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-24T17:52:21+00:00\"> <meta property=\"article:modified_time\" content=\"2026-03-24T17:52:23+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1773246214g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1772477397g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1773271249g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88390\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88390\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftrivy-supply-chain-attack-aqua-downstream-extortion-fallout%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftrivy-supply-chain-attack-aqua-downstream-extortion-fallout%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88390 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/trivy-supply-chain-attack-aqua-downstream-extortion-fallout\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.922155688623\">\n<div class=\"single-article__header-content\" readability=\"35.348214285714\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/trivy-supply-chain-attack-aqua-downstream-extortion-fallout\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Attackers compromised the open-source security tool and published malicious versions of the software. Mandiant warns the fallout could impact up to 10,000 downstream victims. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88390\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"274\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack.jpg?resize=640%2C274&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Binary code depicted in waves.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg 2644w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=300,129 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=768,329 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=1024,439 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=1536,658 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=2048,878 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=600,257 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=1200,514 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-2.jpg?resize=1500,643 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Binary code depicted in waves. (iStock\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"48.400997958721\"><body readability=\"99.767801857585\"><\/p>\n<p>SAN FRANCISCO \u2014 Mandiant is responding to a major, ongoing supply-chain attack involving the compromise of Trivy, a widely used open-source tool from Aqua Security that\u2019s designed to find vulnerabilities and misconfigurations in code repositories.<\/p>\n<p>The fallout from the attack spree, which was first detected March 19, is extensive and poses substantial risk for follow-on compromises and threatening extortion attempts. <\/p>\n<p>\u201cWe know over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,\u201d Charles Carmakal, chief technology officer at Mandiant Consulting said during a threat briefing held in conjunction with the RSAC 2026 Conference. \u201cThat thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.\u201d<\/p>\n<p>Attackers stole a privileged access token and established a foothold in Trivy\u2019s repository automation process by exploiting a misconfiguration in the tool\u2019s GitHub Actions environment in late February, Aqua Security said in a <a href=\"https:\/\/www.aquasec.com\/blog\/trivy-supply-chain-attack-what-you-need-to-know\/\">blog post<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>On March 1, the company tried to block an ongoing breach by changing its credentials. They later realized the attempt failed, which allowed the attacker to stay in the system using valid logins. Attackers published malicious releases of Trivy on March 19.<\/p>\n<p>\u201cWhile this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply-chain attack that began weeks earlier,\u201d Aqua Security said in the blog post.<\/p>\n<p>By compromising the tool, attackers gained access to secrets for many organizations, Carmakal said. \u201cThere will likely be many other software packages, supply-chain attacks and a variety of other compromises as a result of what\u2019s playing out right now.\u201d<\/p>\n<p>Mandiant expects widespread breach disclosures, follow-on attacks and a variety of downstream impacts to play out over the next several months. <\/p>\n<p>The attackers, which the incident response firm has yet to name, are collaborating with multiple threat groups mostly based in the United States, Canada and United Kingdom. These cybercriminals \u201care known for being exceptionally aggressive with their extortion,\u201d Carmakal said. \u201cThey\u2019re very loud, they\u2019re very aggressive.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Mandiant is still working to identify the root of the initial attack. \u201cWe can\u2019t quite tell how those credentials were stolen, because it is our belief that those credentials were not stolen from that victim\u2019s environment,\u201d Carmakal said. <\/p>\n<p>The credentials were likely stolen from another cloud environment, a business process outsourcer, partner or the personal computer of an engineer, he added. <\/p>\n<p>Aqua said Sygnia, which is investigating the attack and assisting in remediation efforts, identified additional suspicious activity Sunday involving unauthorized changes and repository changes \u2014 activity that is consistent with the attacker\u2019s previously observed behavior.<\/p>\n<p>\u201cThis development suggests that the incident is part of an ongoing and evolving attack, with the threat actor reestablishing access. Our investigation is actively focused on validating that all access paths have been identified and fully closed,\u201d the company said.<\/p>\n<p>Aqua, in its latest update Tuesday, said it is continuing to revoke and rotate credentials across all environments and claimed there is still no indication its commercial products are affected. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Many attackers are currently weaponizing access and likely targeting additional victims, yielding to potential extortion attempts and the compromise of additional software, Carmakal said. <\/p>\n<p>\u201cIt\u2019s going to be a different outcome for a lot of different organizations,\u201d he said. \u201cThis will be a very concentrated focus of the adversaries and their expansion group of partners that they\u2019re collaborating with right now.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.3834586466165\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/trivy-supply-chain-attack-aqua-downstream-extortion-fallout\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Experts warn of a \u2018loud and aggressive\u2019 extortion wave following<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6273,282,78,440,646,1073,3288,6254,1813,1866,288,6274],"tags":[6275,286,86,444,650,1076,3290,6259,1814,1868,294,6276],"class_list":["post-8465","post","type-post","status-publish","format-standard","hentry","category-aqua-security","category-cybercrime","category-cybersecurity","category-data-breaches","category-mandiant","category-open-source","category-open-source-software","category-rsac-2026-conference","category-supply-chain","category-supply-chain-attacks","category-threats","category-trivy","tag-aqua-security","tag-cybercrime","tag-cybersecurity","tag-data-breaches","tag-mandiant","tag-open-source","tag-open-source-software","tag-rsac-2026-conference","tag-supply-chain","tag-supply-chain-attacks","tag-threats","tag-trivy"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aqua-security\/\" rel=\"category tag\">Aqua Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source-software\/\" rel=\"category tag\">open source software<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rsac-2026-conference\/\" rel=\"category tag\">RSAC 2026 Conference<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-attacks\/\" rel=\"category tag\">supply chain attacks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/trivy\/\" rel=\"category tag\">Trivy<\/a>","tag_info":"Trivy","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8465"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8465\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8465,"date":"2026-03-24T12:52:21","date_gmt":"2026-03-24T17:52:21","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88390"},"modified":"2026-03-24T12:52:21","modified_gmt":"2026-03-24T17:52:21","slug":"experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/24\/experts-warn-of-a-loud-and-aggressive-extortion-wave-following-trivy-hack\/","title":{"rendered":"Experts warn of a \u2018loud and aggressive\u2019 extortion wave following Trivy hack"},"content":{"rendered":"