[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-trivy-docker-images-fresh-supply-chain-attack-zh":3,"tags-trivy-docker-images-fresh-supply-chain-attack-zh":33,"related-lang-trivy-docker-images-fresh-supply-chain-attack-zh":47,"related-posts-trivy-docker-images-fresh-supply-chain-attack-zh":51,"series-industry-991499d1-f367-4854-8dd2-029e5532819c":88},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":21,"translated_content":10,"views":22,"is_premium":23,"created_at":24,"updated_at":24,"cover_image":11,"published_at":25,"rewrite_status":26,"rewrite_error":10,"rewritten_from_id":27,"slug":28,"category":29,"related_article_id":30,"status":31,"google_indexed_at":32,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":23},"991499d1-f367-4854-8dd2-029e5532819c","Trivy Docker 映像遭供應鏈攻擊","\u003Cp>Trivy 這次真的不是小事。\u003Ca href=\"https:\u002F\u002Ftrivy.dev\" target=\"_blank\" rel=\"noopener\">Trivy\u003C\u002Fa> 的 Docker image tag 0.69.5 和 0.69.6 也被污染。研究團隊 \u003Ca href=\"https:\u002F\u002Fsocket.dev\" target=\"_blank\" rel=\"noopener\">Socket\u003C\u002Fa> 追到的結果很直接：0.69.6 在回報時，還指向惡意映像檔。\u003C\u002Fp>\u003Cp>這代表問題不只是一個版本壞掉。它已經碰到 Docker Hub、GitHub Actions，還碰到很多團隊每天都在跑的 CI\u002FCD 流程。講白了，掃描器自己如果被動手腳，開發者最信的那層保護就先破了。\u003C\u002Fp>\u003Cp>更麻煩的是，這種工具常常有高權限。它能讀原始碼、讀環境變數、看 build log，甚至碰到雲端憑證。你以為它在幫你掃漏洞，結果它可能也在幫攻擊者收資料。\u003C\u002Fp>\u003Ch2>第一波事件後，問題還沒結束\u003C\u002Fh2>\u003Cp>這起事件最早從 2026 年 3 月 19 日開始。當時攻擊者先入侵 Trivy 0.69.4，並把竊取憑證的惡意程式塞進正式釋出和 GitHub Actions。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200018828-x4i3.png\" alt=\"Trivy Docker 映像遭供應鏈攻擊\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>到了 3 月 22 日，研究人員又找到兩個新的惡意 Docker tag，分別是 0.69.5 和 0.69.6。更怪的是，這兩個 tag 沒有對應的 GitHub release。這種對不上流程的狀況，對做 CI 的人來說很刺眼。\u003C\u002Fp>\u003Cp>正常 release 會有一條完整軌跡。原始碼 tag、build、artifact、映像檔，都應該能對起來。這次卻是 image tag 先冒出來，像是有人直接插隊發貨。對供應鏈攻擊來說，這就是很典型的破口。\u003C\u002Fp>\u003Cul>\u003Cli>0.69.3 是目前已知最後乾淨版本\u003C\u002Fli>\u003Cli>0.69.4 是第一個被污染的版本\u003C\u002Fli>\u003Cli>0.69.5 和 0.69.6 也被發現有問題\u003C\u002Fli>\u003Cli>0.69.6 在回報時仍指向惡意映像檔\u003C\u002Fli>\u003Cli>分析中看到 TeamPCP 相關的竊資特徵\u003C\u002Fli>\u003C\u002Ful>\u003Cp>我覺得這裡最值得警惕的，不是版本號本身，而是流程斷點。只要 release、registry、GitHub Actions 三邊有一邊沒對齊，攻擊者就有機會把假貨塞進去。\u003C\u002Fp>\u003Ch2>為什麼 CI\u002FCD 是攻擊重點\u003C\u002Fh2>\u003Cp>很多團隊把掃描器當成「安全工具」，所以會直接放進 pipeline。問題就在這裡。工具一旦被污染，它就能在最敏感的時候接觸到最多資料。\u003C\u002Fp>\u003Cp>Trivy 常被拿來掃 container、code、de\u003Ca href=\"\u002Fnews\u002Fopenclaw-april-2026-update-xai-minimax-zh\">pen\u003C\u002Fa>dency。它跑在 CI\u002FCD 時，通常會碰到 repo token、registry token、雲端金鑰，還有各種 build 參數。攻擊者只要拿到其中一部分，後面就很好玩了，對他們來說啦。\u003C\u002Fp>\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.aquasec.com\u002F\" target=\"_blank\" rel=\"noopener\">Aqua Security\u003C\u002Fa> 的分析指出，這次行為和先前觀察到的攻擊模式一致。意思很明白：這不是隨機亂打，而是同一套手法從 GitHub Actions 轉到 Docker 發佈，再往內部資源延伸。\u003C\u002Fp>\u003Cblockquote>“Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior,” Aqua Security said in its March 23 update.\u003C\u002Fblockquote>\u003Cp>這句話很重要。它不是在講單點事故，而是在講一條攻擊鏈。先拿到入口，再用自動化把影響擴散。對防守方來說，這種節奏通常比單次入侵更麻煩。\u003C\u002Fp>\u003Cp>還有一個老問題。很多人只看 tag，不看 digest。像 \u003Ccode>trivy:latest\u003C\u002Fcode> 這種寫法最方便，也最危險。Docker tag 可以被重指向，tag 不是證明，digest 才比較像證明。\u003C\u002Fp>\u003Ch2>GitHub 暴露讓範圍更大\u003C\u002Fh2>\u003Cp>這次攻擊不只碰到 Docker image。研究人員也發現，和 Aqua Security 有關的內部 GitHub \u003Ca href=\"\u002Fnews\u002Fsora-shutdown-ai-vendor-risk-zh\">or\u003C\u002Fa>ganization 曾短暫暴露。當時有數十個 repository 被改名，還被設成公開。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200012956-q4jr.png\" alt=\"Trivy Docker 映像遭供應鏈攻擊\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>時間也很有意思。這些變動據稱只花了大約兩分鐘，而且看起來像腳本在跑，不像人手動一個一個點。這種 burst 式操作通常代表攻擊者早就拿到 token，而且權限不低。\u003C\u002Fp>\u003Cp>這裡還牽到 \u003Ca href=\"https:\u002F\u002Fsocket.dev\u002Fblog\u002Fteampcp-supply-chain-campaign\" target=\"_blank\" rel=\"noopener\">TeamPCP\u003C\u002Fa>。研究團隊把這個群組和竊資、worm 傳播、ransomw\u003Ca href=\"\u002Fnews\u002Fcloudflare-account-abuse-protection-fraud-zh\">are\u003C\u002Fa>、挖礦，還有針對 Kubernetes 的破壞行為連在一起。老實說，這種角色切換很像現在常見的犯罪團隊打法，先偷，再賣，再擴散。\u003C\u002Fp>\u003Cul>\u003Cli>數十個 repository 曾被改名並公開\u003C\u002Fli>\u003Cli>暴露時間約 2 分鐘\u003C\u002Fli>\u003Cli>可能是 service account token 被濫用\u003C\u002Fli>\u003Cli>影響範圍橫跨多個 GitHub organization\u003C\u002Fli>\u003C\u002Ful>\u003Cp>如果你的組織也有自動化帳號，這一段很值得對照。很多公司會把 token 發給 bot、release job、掃描 job。問題是，一個 token 壞掉，常常不是壞一個 repo，而是壞一串流程。\u003C\u002Fp>\u003Ch2>跟其他供應鏈事件比，差在哪\u003C\u002Fh2>\u003Cp>這類事件其實有固定套路。先拿下一個入口，再把惡意內容丟進 registry、build system、開發者工具。Trivy 這次的特別之處在於，它本身就是安全掃描工具。也就是說，攻擊者不是只想混進你的環境，而是想混進你判斷風險的那一層。\u003C\u002Fp>\u003Cp>如果拿其他案例來比，\u003Ca href=\"https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fdocker-hub-breach-exposes-190k-users\u002F\" target=\"_blank\" rel=\"noopener\">2019 年 Docker Hub 外洩事件\u003C\u002Fa>影響了約 19 萬名使用者。那次很大，但重點偏向帳號外洩。這次 Trivy 事件的重點不一樣，它碰到的是 CI\u002FCD 裡最敏感的安全檢查。\u003C\u002Fp>\u003Cp>所以比較方式也要換。不是只看有多少帳號受影響，而是看 attack surface 有沒有踩進 release gate。當掃描器本身不可信，後面所有 scan result 都要重新驗。\u003C\u002Fp>\u003Cul>\u003Cli>Docker tag 可被改寫\u003C\u002Fli>\u003Cli>GitHub Actions 可被拿來塞惡意輸出\u003C\u002Fli>\u003Cli>掃描器進 CI\u002FCD 後，權限通常很高\u003C\u002Fli>\u003Cli>用 digest pinning 比只看版本號更穩\u003C\u002Fli>\u003Cli>自動化流程越多，供應鏈風險面越大\u003C\u002Fli>\u003C\u002Ful>\u003Cp>還有一點不能漏。Aqua Security 表示，自家商業產品沒有看到受影響，包含 Aqua Platform 內提供的 Trivy。這句話只能縮小已知範圍，不能幫你省掉檢查。如果你是直接拉開源 image，還是得自己查清楚。\u003C\u002Fp>\u003Ch2>這次事件也在提醒產業一件事\u003C\u002Fh2>\u003Cp>開源工具被打，不是新聞第一次出現。只是這次打到的是大家很常用的安全工具，所以感覺特別刺。很多團隊平常會很認真管應用程式，卻把掃描器、build helper、CI action 當成理所當然。\u003C\u002Fp>\u003Cp>問題就在這裡。開發流程越自動化，攻擊者越愛找能重複利用的點。包管理器、CI helper、掃描器，都是高價值目標。因為它們一旦中招，影響的不是一台主機，而是一整串 pipeline。\u003C\u002Fp>\u003Cp>這也解釋了為什麼現在越來越多團隊開始看 SBOM、digest、簽章驗證，還有 artifact provenance。不是因為文件漂亮，而是因為 tag 太容易被動手腳。你如果只看版本號，等於只看門牌，不看裡面住的是誰。\u003C\u002Fp>\u003Cp>我會建議台灣團隊先做三件事。第一，檢查最近有沒有拉到 0.69.4、0.69.5、0.69.6。第二，把 Trivy image 改成 digest pinning。第三，回頭看 GitHub Actions 權限，尤其是 service account token。\u003C\u002Fp>\u003Cp>再多做一步也不難。把掃描 job 的 outbound traffic、環境變數讀取、異常 repository 變更都記錄下來。這些東西平常看起來很煩，但出事時會救命。\u003C\u002Fp>\u003Ch2>接下來該怎麼看\u003C\u002Fh2>\u003Cp>這次 Trivy 事件給我的結論很直接：供應鏈攻擊會越來越愛打工具層。因為那裡權限高、被信任、又常常沒人細查。說白了，攻擊者不一定要打你的 app，先打你的 scanner 就夠痛了。\u003C\u002Fp>\u003Cp>如果你的 CI\u002FCD 還在用 mutable tag，我會說現在就該改。不是等下一次事故來了才補洞。你可以先從 digest pinning、token 盤點、GitHub Actions 權限收斂開始。這些都是實作成本不高，但能少掉很多麻煩的動作。\u003C\u002Fp>\u003Cp>我自己的判斷是，接下來 12 個月，更多攻擊會盯上 package manager、scanner、CI helper 這類工具。下一次不一定會像這次一樣吵，但它可能更安靜，也更難抓。你現在要做的，不是等它來，而是先把流程改到不怕它來。\u003C\u002Fp>","Trivy 的 Docker tag 0.69.5、0.69.6 也被污染。這起事件從單一版本外洩，變成 CI\u002FCD 供應鏈風險案例，Scanner 本身一旦中招，整條流程都會失去信任。","www.infosecurity-magazine.com","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Ftrivy-supply-chain-attack-expands\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200018828-x4i3.png",[13,14,15,16,17,18,19,20],"Trivy","Docker","供應鏈攻擊","CI\u002FCD","GitHub Actions","TeamPCP","資安","容器安全","zh",1,false,"2026-04-03T07:06:33.870882+00:00","2026-04-03T07:06:33.842+00:00","done","b37958d9-8b95-47b9-af48-90992efa8d58","trivy-docker-images-fresh-supply-chain-attack-zh","industry","5a5a96eb-ef53-46ce-9ad4-b5158fd0d799","published","2026-04-07T07:41:09.863+00:00",[34,36,38,39,41,42,43,45],{"name":13,"slug":35},"trivy",{"name":18,"slug":37},"teampcp",{"name":19,"slug":19},{"name":17,"slug":40},"github-actions",{"name":15,"slug":15},{"name":20,"slug":20},{"name":14,"slug":44},"docker",{"name":16,"slug":46},"cicd",{"id":30,"slug":48,"title":49,"language":50},"trivy-docker-images-fresh-supply-chain-attack-en","Trivy Docker Images Hit by Fresh Supply Chain Attack","en",[52,58,64,70,76,82],{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":29},"cd078ce9-0a92-485a-b428-2f5523250a19","circles-agent-stack-targets-machine-speed-payments-zh","Circle 推出 Agent Stack，瞄準機器速度支付","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871663628-uyk5.png","2026-05-15T19:00:44.16849+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":29},"96d96399-f674-4269-997a-cddfc34291a0","iren-signs-nvidia-ai-infrastructure-pact-zh","IREN 綁上 Nvidia AI 基建","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871057561-bukp.png","2026-05-15T18:50:37.57206+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":29},"de12a36e-52f9-4bca-8deb-a41cf974ffd9","circle-agent-stack-ai-payments-zh","Circle 推出 Agent Stack 做 AI 付款","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870462187-t9xv.png","2026-05-15T18:40:30.945394+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":29},"e6379f8a-3305-4862-bd15-1192d3247841","why-nebius-ai-pivot-is-more-real-than-hype-zh","為什麼 Nebius 的 AI 轉型比炒作更真實","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823044520-9mfz.png","2026-05-15T05:30:24.978992+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":29},"66c4e357-d84d-43ef-a2e7-120c4609e98e","nvidia-backs-corning-factories-with-billions-zh","Nvidia 出資 Corning 工廠擴產","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822450270-trdb.png","2026-05-15T05:20:27.701475+00:00",{"id":83,"slug":84,"title":85,"cover_image":86,"image_url":86,"created_at":87,"category":29},"31d8109c-8b0b-46e2-86bc-d274a03269d1","why-anthropic-gates-foundation-ai-public-goods-zh","為什麼 Anthropic 和 Gates Foundation 應該投資 A…","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796636474-u508.png","2026-05-14T22:10:21.138177+00:00",[89,94,99,104,109,114,119,124,129,134],{"id":90,"slug":91,"title":92,"created_at":93},"ee073da7-28b3-4752-a319-5a501459fb87","ai-in-2026-what-actually-matters-now-zh","2026 AI 真正重要的事","2026-03-26T07:09:12.008134+00:00",{"id":95,"slug":96,"title":97,"created_at":98},"83bd1795-8548-44c9-9a7e-de50a0923f71","trump-ai-framework-power-speech-state-preemption-zh","川普 AI 框架瞄準電力、言論與州權","2026-03-26T07:12:18.695466+00:00",{"id":100,"slug":101,"title":102,"created_at":103},"ea6be18b-c903-4e54-97b7-5f7447a612e0","nvidia-gtc-2026-big-ai-announcements-zh","NVIDIA GTC 2026 重點拆解","2026-03-26T07:14:26.62638+00:00",{"id":105,"slug":106,"title":107,"created_at":108},"4bcec76f-4c36-4daa-909f-54cd702f7c93","claude-users-spreading-out-and-getting-better-zh","Claude 用戶更分散，也更會用","2026-03-26T07:22:52.325888+00:00",{"id":110,"slug":111,"title":112,"created_at":113},"bd903b15-2473-4178-9789-b7557816e535","openclaw-raises-hard-question-for-ai-models-zh","OpenClaw 逼問 AI 模型價值","2026-03-26T07:24:54.707486+00:00",{"id":115,"slug":116,"title":117,"created_at":118},"eeac6b9e-ad9d-4831-8eec-8bba3f9bca6a","gap-google-gemini-checkout-fashion-search-zh","Gap 把結帳搬進 Gemini","2026-03-26T07:28:23.937768+00:00",{"id":120,"slug":121,"title":122,"created_at":123},"0740e53f-605d-4d57-8601-c10beb126f3c","google-pushes-gemini-transition-to-march-2026-zh","Google 把 Gemini 轉換延到 2026 年 3…","2026-03-26T07:30:12.825269+00:00",{"id":125,"slug":126,"title":127,"created_at":128},"e660d801-2421-4529-8fa9-86b82b066990","metas-llama-4-benchmark-scandal-gets-worse-zh","Meta Llama 4 分數風波又擴大","2026-03-26T07:34:21.156421+00:00",{"id":130,"slug":131,"title":132,"created_at":133},"183f9e7c-e143-40bb-a6d5-67ba84a3a8bc","accenture-mistral-ai-sovereign-enterprise-deal-zh","Accenture 攜手 Mistral AI 賣主權 AI","2026-03-26T07:38:14.818906+00:00",{"id":135,"slug":136,"title":137,"created_at":138},"191d9b1b-768a-478c-978c-dd7431a38149","mistral-ai-faces-its-hardest-year-yet-zh","Mistral AI 迎來最硬的一年","2026-03-26T07:40:23.716374+00:00"]