Aqua Security’s Trivy vulnerability scanner was trojanized as part of the coordinated supply chain attack attributed to TeamPCP (UNC6780), embedding a credential-harvesting backdoor into a security tool used in CI/CD pipelines across thousands of organizations. CVE-2026-33634 (CVSS 9.5) is assigned to this compromise; CISA KEV status is flagged as conflicting between the structured data (false) and the technical narrative, and should be cross-validated directly against the CISA KEV catalog before treating as confirmed. Organizations should immediately identify Trivy versions executed during March 2026, upgrade to the version designated clean in GHSA-69fq-xp46-6×23, and re-provision any CI/CD runners that executed the compromised scanner rather than attempting in-place remediation.