The Trivy v0.69.4 supply chain compromise and trivy-action GitHub tag hijacking (75 of 76 tags affected) represent a critical-severity credential harvesting campaign targeting CI/CD pipelines. Any pipeline that executed trivy-action against a compromised tag should be treated as having exposed all secrets accessible to the build runner — including cloud provider credentials, SSH keys, API tokens, and CI/CD platform secrets — to the threat actor. No CVE is assigned. Organizations must immediately rotate all secrets from affected build environments, pin trivy-action to the confirmed clean tag, and audit pipeline logs for anomalous outbound connections during Trivy execution steps. A secondary CanisterWorm npm campaign using ICP decentralized canisters as C2 infrastructure was associated with this reporting cycle and may require separate npm dependency auditing.