Aqua Security Trivy is affected by two overlapping items this period: CVE-2026-33634, a confirmed CISA KEV supply chain compromise via mutable container image tag abuse (CVSS 9.8, EPSS 96th percentile), and the TeamPCP campaign (SCC-CAM-2026-0121), which independently trojanized Trivy as part of a multi-tool supply chain attack. Organizations running Trivy in CI/CD pipelines should treat any pipeline that pulled a Trivy image during the exposure window as compromised and rotate all associated credentials immediately. Pin all Trivy image references to verified SHA-256 digests and implement image signature verification before resuming automated pipeline operations.