A critical supply chain attack has compromised the Trivy vulnerability scanner, injecting malware designed to steal credentials into official releases and GitHub Actions workflows. This breach has significant implications, as Trivy is widely used in thousands of continuous integration and continuous deployment (CI/CD) workflows. The attackers exploited insecure GitHub Actions to gain access to the Trivy project, allowing them to distribute the tainted releases1. The compromised versions of Trivy can trigger a cascade of additional supply-chain compromises if affected projects and organizations fail to rotate their secrets promptly. The incident highlights the importance of securing CI/CD pipelines and regularly reviewing dependencies for signs of tampering. This attack matters to practitioners because it underscores the need for immediate action to mitigate potential damage and prevent further supply-chain attacks.