• CVE-2026-33634 is a Critical (CVSS 9.4) supply chain compromise involving the Aqua Security Trivy ecosystem.
• On March 19, 2026, threat actors used compromised credentials to publish malicious versions of the Trivy binary and hijack GitHub Action tags.
• The primary impact is the exfiltration of CI/CD secrets (AWS/GCP/Azure keys, Kubernetes tokens, SSH keys, and database credentials) from the runner environment.

2.5.x

• The root cause is a Supply Chain Attack initiated by a threat actor (identified as "TeamPCP") who gained access to Aqua Security's release credentials.
• The rotation of these credentials following an earlier February incident was not atomic, allowing the attacker to exfiltrate newly rotated secrets and maintain persistence to execute the March 19 attack.

• VMware By Broadcom is aware of CVE-2026-33634.
• Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
• Should you require further information please contact Broadcom Support.