On March 19, 2026, a threat actor called TeamPCP force-pushed 75 malicious version tags to Aqua Security's Trivy — the open-source vulnerability scanner we, and a lot of other people, run inside our CI pipelines and our AI agent sandboxes. The attacker injected a credential-stealing payload that rode the auto-update rails straight into thousands of repositories, exploiting credentials retained from an earlier, incompletely-remediated breach. Help Net Security and CISA both flagged it within 48 hours.
We ran Trivy. Inside an AI agent. Inside a chargeback pipeline that holds Stripe API credentials.
That's the kind of stack where you don't sleep on it.
A compromised vulnerability scanner is worse than no scanner at all. Here's why:
A rogue Trivy tag isn't a "supply chain risk" in the abstract. It's a direct line from some TeamPCP dev box to your Stripe secret key.
First move, by the book: pin Trivy to the last known-good pre-compromise tag, audit every Trivy-initiated network call in our logs for the prior two weeks, rotate anything that Trivy had line-of-sight to. Standard incident response. Took about three hours.
Second move, the harder one: ask the real question. Why are we running a scanner binary at all?
We're an AI-agent shop. Our agents run on demand, spin up short-lived, install a handful of Python and Node packages per task, return an answer, and disappear. The reason we had Trivy in there was to scan those packages before the agent uses them. But Trivy — like Snyk, like Grype, like any on-disk scanner — wants to be installed, wants to auto-update, wants database files on disk, wants a binary in your PATH. All of that is attack surface.
An AI agent doesn't need a binary. It needs an answer to one question: "Given this list of packages and versions, which ones are known-vulnerable, which ones are actively exploited in the wild, and what's the fixed version?"
That is an HTTP request. Not an install.
We replaced Trivy inside our agent pipeline with Aegis402. Full disclosure up front: Aegis402 is built and run by the same team that operates ChargeShield. We wrote about its dependency-scanning angle earlier this week in this post. The reason we're bringing it up again in this context is that the Trivy incident made it painfully concrete why a stateless HTTP call beats a vendored binary for our threat model.
Here is what the replacement looks like:
curl -X POST https://aegis402.vmaxbadge.ch/scan \
-H 'content-type: application/json' \
-d '{"deps":[
{"ecosystem":"pip","package":"requests","version":"2.31.0"},
{"ecosystem":"pip","package":"langchain","version":"0.1.20"},
{"ecosystem":"npm","package":"mathjs","version":"15.1.0"}
]}'
Pricing: $0.005 per dependency, paid inline in USDC on Base via the x402 protocol. The first request without an X-PAYMENT header returns 402 Payment Required with a signed challenge. Your agent signs a USDC transfer authorization, retries with the header, and gets the scan result in the same round-trip. No signup, no API key, no dashboard. Your agent pays out of its own wallet, per call.
Under the hood, Aegis402 mirrors two data sources: GitHub Security Advisories (the curated, reviewed ones) and the CISA Known Exploited Vulnerabilities catalog. Both refresh every 60 minutes. It is a read-only HTTP service. It cannot install itself into your CI. It cannot auto-update a binary in your PATH. There is no tag-history for an attacker to overwrite.
A pay-per-call scanner has exactly one way to harm you: by returning a wrong answer. A binary scanner has a dozen.
Enumerate the attack surface honestly:
The blast radius of compromising an HTTP CVE service is dramatically smaller than compromising a binary scanner. That's not an opinion — it's the literal definition of the attack surface.
"What if Aegis402 goes down?" Our agents fail-closed: if the scan call errors, the agent does not install the dependency, and the job is queued for retry. A brief outage on a dependency service is an inconvenience; a compromised scanner is a breach. We'll take the inconvenience.
"Pay-per-call means a DoS attacker could drain our wallet." Each agent has its own wallet with a small float. A runaway agent drains $2-3 before the circuit breaker trips. Compare that to the cost of a breach response.
"We need an on-prem scanner for compliance." Fair — if your compliance framework mandates an on-prem SCA binary, you need one. Our answer is to run both: Aegis402 for the agent-installed packages (the ones Trivy never saw anyway, because agents don't commit), and a pinned, audited, air-gapped binary scanner for the code we actually push to git. Different tools for different lifecycles.
"$0.005 per dependency adds up." Does it? A typical chargeback rebuttal agent touches 15-30 packages. That's $0.075 to $0.15 per response. We process thousands of responses per day. Our Aegis402 bill for an entire month is less than one seat of our previous enterprise SCA tool.
The Trivy incident is not going to be the last one. Endor Labs, Snyk, Socket.dev, GitHub's own security features — every one of these is a single point of compromise for a whole industry. The fix isn't "find the one scanner you trust absolutely". The fix is shrink your scanner's capabilities to the absolute minimum it needs so that if it does get compromised, the blast radius is bounded.
A read-only HTTP service that answers "is this package vulnerable?" and does literally nothing else is the floor of that minimization. That's why we built Aegis402 that way, and that's why it survived the Trivy news cycle as our default.
Don't want to integrate an API? Get a one-shot Aegis Quick Audit — submit a GitHub repo, get a branded PDF report with every CVE + CISA KEV flag in your dependency tree. 9 CHF, delivered in 24h, no account.
If you're also running Trivy inside an AI agent, stop reading and go audit it. Then, if the HTTP-service model makes sense for your threat model, try Aegis402 against your next dependency diff. Start free — curl -X POST https://aegis402.vmaxbadge.ch/trial returns a token good for 10 scans / 24h, no signup, no wallet. Pass it as X-Trial-Token on /scan. Full API manifest at https://aegis402.vmaxbadge.ch/mcp. MCP Streamable HTTP transport at https://aegis402.vmaxbadge.ch/mcp/rpc.