Aqua Security Trivy has been confirmed compromised via a supply chain attack replacing trusted container image tags with malicious versions that harvest credentials at runtime — cloud keys, SSH keys, API tokens, and database passwords — from any CI/CD pipeline environment where the tampered image executes. CISA has added CVE-2026-33634 to the KEV catalog with a remediation deadline of April 9, 2026, confirming active exploitation. Immediate actions: suspend all Trivy pipeline executions using mutable tags, rotate all credentials accessible in affected runner environments, and enforce digest-pinned image references before resuming automated scans.