Seventy-five of 76 version tags of aquasecurity/trivy-action and 7 tags of setup-trivy were force-pushed with a Python infostealer that exfiltrates cloud credentials, SSH keys, and Kubernetes tokens from CI/CD runners, constituting a critical supply chain compromise with no associated CVE. Any pipeline referencing affected tags by mutable string rather than pinned commit SHA should be treated as having executed the malicious payload, with all in-scope secrets considered compromised. Immediate action requires auditing workflow files for unpinned references, rotating all CI/CD secrets accessible during the exposure window, and enforcing SHA pinning policy across all third-party GitHub Actions going forward.