{"id":60370,"date":"2026-03-25T00:03:03","date_gmt":"2026-03-25T00:03:03","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146118"},"modified":"2026-03-25T00:03:03","modified_gmt":"2026-03-25T00:03:03","slug":"guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/","title":{"rendered":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"wp-block-paragraph\">On March 19, 2026, Trivy, Aqua Security\u2019s widely used open-source vulnerability scanner, <a href=\"https:\/\/www.stepsecurity.io\/blog\/trivy-compromised-a-second-time---malicious-v0-69-4-release\" type=\"link\" id=\"https:\/\/www.stepsecurity.io\/blog\/trivy-compromised-a-second-time---malicious-v0-69-4-release\">was reported to have been compromised<\/a> in a sophisticated CI\/CD-focused supply chain attack. Threat actors leveraged access from a prior incident that was not fully remediated to inject credential-stealing malware into official releases of Aqua Security\u2019s widely adopted open-source vulnerability scanner, Trivy. The attack simultaneously compromised the core scanner binary, the trivy-action GitHub Action, and the setup-trivy GitHub Action, weaponizing trusted security tooling against the organizations relying on it.<\/p>\n<p class=\"wp-block-paragraph\">The campaign, attributed to the threat actor identifying as TeamPCP, introduces several concerning techniques. This blog walks through the Trivy supply chain attack and explains how Microsoft Defender helps organizations detect, investigate, and respond to this incident.<\/p>\n<p class=\"wp-block-paragraph\">This activity has since expanded to additional frameworks, including Checkmarx KICS and LiteLLM, with further details to be shared as the investigation continues.<\/p>\n<h2 class=\"wp-block-heading\" id=\"analyzing-the-trivy-supply-chain-compromise\">Analyzing the Trivy supply chain compromise<\/h2>\n<p class=\"wp-block-paragraph\">The activity on March 19 represents the execution phase of the campaign, where previously established access was used to weaponize trusted Trivy distribution channels:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Poisoning GitHub Actions used in CI\/CD pipelines: <\/strong>Using compromised credentials with tag write access, the attacker force-pushed 76 of 77 version tags in aquasecurity\/trivy-action and all 7 tags in aquasecurity\/setup-trivy, redirecting existing, trusted version references to malicious commits. This caused downstream workflows to execute attacker-controlled code without any visible change to release metadata.<\/li>\n<li class=\"wp-block-list-item\"><strong>Publishing a malicious Trivy binary:<\/strong> In parallel, the attacker triggered release automation to publish an infected Trivy binary (v0.69.4) to official distribution channels, including GitHub Releases and container registries, exposing both CI\/CD environments and developer machines to credential theft and persistence.<\/li>\n<li class=\"wp-block-list-item\"><strong>Maintaining stealth and impact window:<\/strong> Both the compromised GitHub Actions and the malicious binary were designed to execute credential-harvesting logic in addition to the legitimate Trivy functionality, allowing workflows and scans to appear successful while secrets were exfiltrated.<\/li>\n<li class=\"wp-block-list-item\"><strong>Attack containment by maintainers: <\/strong>Later that day, the Trivy team identified the compromise and removed malicious artifacts from distribution channels, ending the active propagation phase.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"how-github-s-design-was-abused-in-the-attack\"><strong>How GitHub\u2019s design was abused in the attack<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">This attack exploited two aspects of how Git and GitHub operate by design: mutable tags and self-declared commit identity, turning expected platform behavior into an advantage for the attacker.<\/p>\n<p class=\"wp-block-paragraph\">In Git, a tag is a label that maps to a specific commit in the repository\u2019s history. By default, these references are not immutable \u2013 anyone with push access can reassign an existing tag to point to an entirely different commit. The attacker did exactly that, replacing the target commit behind 76 of 77 tags in <em>trivy-action<\/em> and all 7 in <em>setup-trivy<\/em> with commits containing malicious payloads. Every CI\/CD pipeline that referenced these actions by tag name began running the attacker\u2019s code on its next execution, with no visible change on GitHub to alert maintainers or consumers.<\/p>\n<p class=\"wp-block-paragraph\">In addition, the threat actor spoofed the identity of the commit, similar to the persona impersonation tactics seen in the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/09\/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack\/\">Shai-Hulud 2.0 campaign<\/a>.<\/p>\n<h3 class=\"wp-block-heading\" id=\"exploitation-details\">Exploitation details<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender for Cloud observed the full attack chain in compromised self-hosted GitHub Actions runners.<\/p>\n<p class=\"wp-block-paragraph\">Upon execution, the entry point performed&nbsp;process discovery&nbsp;to locate runner processes (Runner.Worker,&nbsp;Runner.Listener), then inspected them to identify processes carrying secrets. A&nbsp;base64-encoded Python payload&nbsp;was then decoded and executed to handle the credential harvesting phase.<\/p>\n<p class=\"wp-block-paragraph\">The Python stealer first fingerprinted the host (\u201c<em>hostname\u201d,&nbsp;\u201cwhoami\u201d,&nbsp;\u201cuname -a\u201d,&nbsp;\u201cip addr\u201d<\/em>) and dumped all environment variables (via&nbsp;\u201c<em>printenv\u201d)<\/em>. It then conducted&nbsp;broad-spectrum credential harvesting&nbsp;that reveals the attacker\u2019s interest in maximizing the value of each compromised runner:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Cloud credentials<\/strong>: For each major cloud provider, the stealer combined environment variable extraction with deeper credential access attempts:\n<ul>\n<li><strong>AWS<\/strong>: Harvested environment variables (\u201c<code><em>grep AWS_\u201d<\/em><\/code>), then queried both the ECS task metadata endpoint (<code>169.254.170.2<\/code>) and the EC2 instance metadata service (<code>169.254.169.254<\/code>) for IAM credentials.<\/li>\n<\/ul>\n<ul>\n<li><strong>GCP<\/strong>: Harvested environment variables (<em>\u201c<code>grep -i<\/code> <code>google\u201d<\/code>,&nbsp;\u201c<code>grep -i<\/code> <code>gcloud\u201d<\/code>)<\/em> and attempted to read the service account key file via&nbsp;<code><em>$GOOGLE_APPLICATION_CREDENTIALS<\/em><\/code>.<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Azure<\/strong>: Harvested environment variables (<em>\u201c<code>grep -i<\/code> <code>azure\u201d<\/code><\/em>).<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\"><strong>Kubernetes secrets<\/strong>: Enumeration and exfiltration of mounted service-account files (under&nbsp;\u201c<em>\/run\/secrets\/kubernetes.io\/serviceaccount\/\u201d<\/em>), and an attempt to dump all cluster secrets with&nbsp;Kubernetes CLI (<em>\u201ckubectl get secrets \u2013all-namespaces -o json\u201d<\/em>).<\/li>\n<li class=\"wp-block-list-item\"><strong>CI\/CD and application secrets<\/strong>: Reading the runner\u2019s internal environment files, recursive filesystem searches for API keys and tokens in&nbsp;\u201c.env\u201d,&nbsp;\u201c.json\u201d,&nbsp;\u201c.yml\u201d, and&nbsp;\u201c.yaml\u201d&nbsp;files, and harvesting of Slack and Discord webhook URLs.<\/li>\n<li class=\"wp-block-list-item\"><strong>Infrastructure and access<\/strong>: Extraction of WireGuard VPN configurations (<em>\u201cwg showconf all\u201d<\/em>), SSH authentication logs (<em>\u201c\/var\/log\/auth.log\u201d<\/em>, <em>\u201c\/var\/log\/secure\u201d<\/em>), and database connection strings (MySQL, PostgreSQL, MongoDB, Redis, Vault).<\/li>\n<li class=\"wp-block-list-item\"><strong>Cryptocurrency<\/strong>: Searches for Solana wallet variables and RPC authentication credentials (rpcuser,&nbsp;rpcpassword).<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">The stolen data was then encrypted using a hybrid AES-256-CBC + RSA scheme and bundled into a&nbsp;<em>tpcp.tar.gz<\/em>&nbsp;archive, then&nbsp;exfiltrated via HTTP POST&nbsp;to the typosquatted domain&nbsp;<em>scan.aquasecurtiy[.]org<\/em>.<\/p>\n<p class=\"wp-block-paragraph\">After exfiltration, the malware&nbsp;cleaned up&nbsp;all temporary files and launched the&nbsp;legitimate Trivy scan. The workflow completed successfully with expected output, masking the compromise from pipeline operators.<\/p>\n<h2 class=\"wp-block-heading\" id=\"detection-and-investigation\">Detection and investigation<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"12\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong><\/td>\n<td><strong>Observed activity<\/strong><\/td>\n<td><strong>Microsoft Defender coverage<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Credential access<\/td>\n<td>Access to the IMDS endpoint in cloud resources to steal cloud tokens<\/td>\n<td><strong>Microsoft Defender for Cloud:<br \/>\u2013 <\/strong>Access to cloud metadata service detected<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Credential access<\/td>\n<td>Secret Reconnaissance on containers served as CI\\CD runners<\/td>\n<td><strong>Microsoft Defender for Cloud:<\/strong><br \/><strong>\u2013 <\/strong>Possible Secret Reconnaissance Detected <strong>Microsoft Defender for Endpoint:&nbsp;<br \/>\u2013 <\/strong>Kubernetes Secrets Enumeration Indicative of Credential Access&nbsp;<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td>Command and Control<\/td>\n<td>DNS query to a domain name which is identified as suspicious by Microsoft Threat Intelligence \u2013 including the scan[.]aquasecurtiy[.]org domain (and others)<\/td>\n<td readability=\"7\"><strong>Microsoft Defender for Identity:<\/strong><br \/>\u2013 Suspicious DNS query from a device in the organization<\/p>\n<p><strong>Microsoft Defender for&nbsp;Endpoint:<\/strong> \u2013 Suspicious connection blocked by network protection&nbsp; \u2013 Suspicious activity linked to an emerging threat actor has been detected&nbsp; \u2013 Connection to a custom network indicator&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Exfiltration<\/td>\n<td>Malicious exfiltration activity performed by infected Trivy version<\/td>\n<td readability=\"5\"><strong>Microsoft Defender for Cloud:<\/strong><br \/>\u2013 Malicious commands from TeamPCP supply chain attack detected<\/p>\n<p><strong>Microsoft Defender for Endpoint:<\/strong>&nbsp;<br \/>\u2013 Possible data&nbsp;exfiltration using curl&nbsp;<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance-1\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">The recent compromise affecting Trivy and related GitHub Actions highlights how attackers increasingly target CI\/CD pipelines, trusted developer tooling and software supply chains. In this campaign, adversaries exploited insecure workflow configurations, abused trusted version tags and leveraged stolen credentials to distribute malicious artifacts and exfiltrate secrets.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender recommends organizations to adopt the following preventative measures to reduce exposure to similar attacks.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Immediately update to safe versions<\/strong>: Ensure all workflows are running verified safe versions:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Component<\/strong><\/td>\n<td><strong>Safe Version<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Trivy binary<\/td>\n<td>v0.69.2 \u2013 v0.69.3<\/td>\n<\/tr>\n<tr>\n<td>trivy-action<\/td>\n<td>v0.35.0<\/td>\n<\/tr>\n<tr>\n<td>setup-trivy<\/td>\n<td>v0.2.6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Harden CI\/CD pipelines against supply chain attacks<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Pin all third-party actions to immutable references:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Pin GitHub Actions to commit SHA rather than version tags (e.g., @v1), as tags can be force-modified by attackers.&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Regularly audit workflows for tag-based references;&nbsp;replace them with verified SHAs.&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Restrict action usage through policy controls:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Use organization-level policies to allow only approved actions.&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Block unverified or newly introduced external actions by default.&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><strong>Enforce least privilege and strong identity controls&nbsp;&nbsp;<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Minimize token and permission scope:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Configure GITHUB_TOKEN and other credentials with minimum required permissions.&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Avoid granting&nbsp;write&nbsp;permissions unless strictly necessary.&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><strong>Protect secrets and sensitive data in pipelines&nbsp;&nbsp;<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Eliminate&nbsp;implicit secret exposure:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Avoid injecting secrets into environment variables when not&nbsp;required.&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Store secrets in dedicated secret managers and retrieve them&nbsp;just-in-time.&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Disable credential persistence on runners:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Ensure credentials&nbsp;are not persisted&nbsp;to disk or reused across jobs.&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Use ephemeral runners or clean environments to prevent cross-job secret leakage.&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><strong>Reduce lateral movement risk through Attack Path analysis<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Organizations can reduce the risk of credential-driven lateral movement by leveraging <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/work-attack-paths-overview\">attack path analysis in Microsoft Defender<\/a>. This capability provides visibility into how identities, secrets, misconfigurations and resources are interconnected across the environment. By continuously analyzing these relationships, Defender identifies attack paths involving leaked or overprivileged secrets, including those used in CI\/CD pipelines.<\/p>\n<p class=\"wp-block-paragraph\">Security teams can use these insights to proactively remediate risk by removing excessive permissions, rotating credentials, and segmenting access, effectively limiting how far an attacker could move if a pipeline or token is compromised.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Assess blast radius using Advanced Hunting<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The Exposure Management graph provides a unified representation of organizational assets and their relationships, including identities, endpoints, cloud resources and secrets.&nbsp; This graph is also exposed to customers through Advanced Hunting in Microsoft Defender, enabling programmatic exploration of these connections.<\/p>\n<p class=\"wp-block-paragraph\">Using Advanced Hunting, security teams can query this graph to assess the potential blast radius of any given node, such as a leaked CI\/CD secret or compromised identity. By understanding which assets are reachable through existing permissions and trust relationships, organizations can prioritize remediation of the most critical exposure paths.<\/p>\n<p class=\"wp-block-paragraph\">Additional examples and query patterns are available <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft-security-blog\/microsoft-security-exposure-management-graph-unveiling-the-power\/4148546\">here<\/a> as well as in the following Advanced Hunting Queries section below.<\/p>\n<h2 class=\"wp-block-heading\" id=\"advanced-hunting-queries\">Advanced hunting queries<\/h2>\n<p class=\"wp-block-paragraph\"><strong>CloudProcessEvents query to identify malicious commands originating from the recent TeamPCP supply-chain attacks<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"16\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudProcessEvents | where ProcessCommandLine has_any ('scan.aquasecurtiy.org','45.148.10.212','plug-tab-protective-relay.trycloudflare.com','tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io','checkmarx.zone','\/tmp\/runner_collected_','tpcp.tar.gz') or (ParentProcessName == 'entrypoint.sh' and ProcessCommandLine has 'grep -qiE (env|ssh)')\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Kubernetes secrets enumeration<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"12\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where FileName == \"bash\" | where InitiatingProcessFileName != \"claude\" | where InitiatingProcessParentFileName != \"claude\" | where ProcessCommandLine !contains \"claude\" | where ProcessCommandLine has_all (\"kubectl get secrets \", \" --all-namespaces \", \" -o json \", \" || true\") <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Google Cloud credential enumeration<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where FileName == 'dash' | where InitiatingProcessCommandLine == 'python3' | where ProcessCommandLine has_all ('$GOOGLE_APPLICATION_CREDENTIALS', \u2018cat\u2019, '2&gt;\/dev\/null') <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Exfiltration via curl from&nbsp;a&nbsp;Trivy&nbsp;process<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where FileName == \"curl\" | where InitiatingProcessCommandLine contains \"trivy-action\" | where ProcessCommandLine contains \" POST \" | where ProcessCommandLine contains \" --data-binary\" <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Typosquatted&nbsp;C2 Domain in Command Line&nbsp;<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"22\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudProcessEvents | where ProcessCommandLine has_any ( \/\/ Typosquatted C2 domain \"scan.aquasecurtiy.org\", \"aquasecurtiy.org\", \/\/ C2 IP \"45.148.10.212\u201d) | project Timestamp, KubernetesPodName, KubernetesNamespace, AzureResourceId, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ParentProcessName, FileName <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>OpenSSL-based encryption operations<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"35\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudProcessEvents | where ProcessName == \"openssl\" and ProcessCommandLine has_any ( \"enc -aes-256-cbc\", \"enc -aes-256\",) and and ProcessCommandLine has \"-pass file:\" | project Timestamp, KubernetesPodName, KubernetesNamespace, AzureResourceId, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ParentProcessName, FileName DeviceProcessEvents | where ProcessCommandLine has_all ('\/dev\/null', '--data-binary', '-X POST', 'scan.aquasecurtiy.org ') or ProcessCommandLine has_any ('pgrep -f Runner.Listener', 'pgrep -f Runner.Worker') or ProcessCommandLine has_any ('tmp\/runner_collected_', 'tpcp.tar.gz') and ProcessCommandLine has_any ('curl', 'tar', 'rm', 'openssl enc') and ProcessCommandLine !has 'find' or InitiatingProcessCommandLine contains '\/entrypoint.sh\u2019 and ProcessCommandLine has \u2018grep -qiE (env|ssh)\u2019 | join kind=leftouter (DeviceNetworkEvents | where RemoteIP == '45.148.10.122') on DeviceId | project Timestamp, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFolderPath, RemoteIP <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Compromised installations of Trivy<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceTvmSoftwareInventory | where SoftwareName has \"trivy\" | where SoftwareVersion has_any (\"0.69.4\", \"0.69.5\", \"0.69.6\") <\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.stepsecurity.io\/blog\/trivy-compromised-a-second-time---malicious-v0-69-4-release\">Trivy Compromised a Second Time \u2013 Malicious v0.69.4 Release, aquasecurity\/setup-trivy, aquasecurity\/trivy-action GitHub Actions Compromised \u2013 StepSecurity<\/a> (Step Security)<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.aquasec.com\/blog\/trivy-supply-chain-attack-what-you-need-to-know\/\">Update: Ongoing Investigation and Additional Activity<\/a> (Aqua)<\/p>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from\u202fYossi Weizman, Tushar Mudi, Kajhon Soyini, Mohan Bojjireddy, Gourav Khandelwal, Sai Chakri Kandalai, Mathieu Letourneau, Ram Pliskin, and Ivan Macalintal<\/em>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more&nbsp;&nbsp;&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/real-time-agent-protection-during-runtime\" target=\"_blank\" rel=\"noreferrer noopener\">Protect your agents in real-time during runtime (Preview) \u2013 Microsoft Defender for Cloud Apps<\/a><\/p>\n<p class=\"wp-block-paragraph\">Explore\u202f<a href=\"https:\/\/eurppc-word-edit.officeapps.live.com\/we\/%E2%80%A2%09https:\/learn.microsoft.com\/en-us\/microsoft-365-copilot\/extensibility\/copilot-studio-agent-builder\" target=\"_blank\" rel=\"noreferrer noopener\">how to build and customize agents with Copilot Studio Agent Builder<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-ai-security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 Copilot AI security documentation<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/11\/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails\/\" target=\"_blank\" rel=\"noreferrer noopener\">How Microsoft discovers and mitigates evolving attacks against AI guardrails<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/ai-agent-protection\" target=\"_blank\" rel=\"noreferrer noopener\">securing Copilot Studio agents with Microsoft Defender<\/a>\u202f&nbsp;<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/24\/detecting-investigating-defending-against-trivy-supply-chain-compromise\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors abused trusted Trivy distribution channels to inject credential\u2011stealing malware into CI\/CD pipelines worldwide. This analysis walks through the Trivy supply\u2011chain compromise, attacker techniques, and concrete steps security teams can take to detect and defend against similar attacks.<br \/>\nThe post Guidance for detecting, investigating, and defending against the Trivy supply chain compromise appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-60370","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-25T00:03:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise\",\"datePublished\":\"2026-03-25T00:03:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\"},\"wordCount\":1776,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\",\"name\":\"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\",\"datePublished\":\"2026-03-25T00:03:03+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/","og_locale":"en_US","og_type":"article","og_title":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-25T00:03:03+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise","datePublished":"2026-03-25T00:03:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/"},"wordCount":1776,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/","url":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/","name":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg","datePublished":"2026-03-25T00:03:03+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/MS_Actional-Insights_Malware-ransomware-1.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Guidance for detecting, investigating, and defending against the Trivy supply chain compromise"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60370"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60370\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}