Attempts to post the latest Trivy security incident have been marked [dead]
JoshuaDavid
80 points
20 comments
March 21, 2026
Related Discussions
Found 5 related stories in 51.7ms across 3,471 title embeddings via pgvector HNSW
- Cisco source code stolen in Trivy-linked dev environment breach _____k · 22 pts · March 31, 2026 · 59% similar
- Supply Chain Attack on Trivy tiri · 11 pts · March 22, 2026 · 57% similar
- Issue Tracking Is Dead cristinacordova · 28 pts · March 24, 2026 · 50% similar
- Delve removed from YC portfolio website cyrusradfar · 31 pts · April 04, 2026 · 47% similar
- Stryker Hit by Handala – Intune Managed Devices Wiped easyat · 12 pts · March 11, 2026 · 46% similar
Discussion Highlights (3 comments)
JoshuaDavid
Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH... 6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].
mtmail
Looks like the repository URL was marked [dead] for several years, I can't tell why. Best to email the moderator (link in footer). Big security stories often get republished, one might say reviewed and filtered. For this story I see opensourcemalware.com - https://news.ycombinator.com/item?id=47449498 stepsecurity.io - https://news.ycombinator.com/item?id=47451081 arstechnica.com - https://news.ycombinator.com/item?id=47464996 and 4 others.
tptacek
You should just mail hn@ycombinator.com about this stuff. Or: write a short blog post about it, and post that, on your (different) domain.