A supply chain attack targeting Trivy, a widely used open-source vulnerability scanner maintained by Aqua Security, has resulted in the distribution of malicious Docker images. This incident highlights the expanding impact on developer environments.
Details of the Attack
The last clean version of Trivy available on Docker Hub is 0.69.3. However, malicious versions 0.69.4, 0.69.5, and 0.69.6 were pushed on March 22, 2026, without corresponding GitHub releases or tags. These images contained indicators of compromise linked to the TeamPCP infostealer, which has been observed in earlier phases of this campaign, according to Socket security researcher Philipp Burckhardt.
Impact on Developer Environments
The attack exploited a compromised credential to push a credential stealer within trojanized versions of Trivy and two related GitHub Actions: aquasecurity/trivy-action and aquasecurity/setup-trivy. Following this, attackers leveraged the stolen data to compromise numerous npm packages, distributing a self-propagating worm known as CanisterWorm. The incident is attributed to a threat actor identified as TeamPCP.
Compromised Repositories and Data Exposure
The attackers defaced all 44 internal repositories associated with Aqua Security’s aquasec-com GitHub organization, renaming them with a prefix of “tpcp-docs-” and publicly exposing them. This organization contains proprietary source code, including that for Tracee, internal Trivy forks, CI/CD pipelines, and Kubernetes operators. The modifications to these repositories occurred rapidly within a two-minute window on March 22, 2026.
Forensics and Ongoing Investigation
Forensic analysis indicates that the attack was facilitated by a compromised service account, specifically the Argon-DevOps-Mgt account, which provided write/admin access to both the compromised and legitimate GitHub organizations. Security researcher Paul McCarty noted that the compromised token was likely obtained during a previous incident involving Trivy GitHub Actions.
Aqua Security has stated that its investigation is focused on ensuring all access paths have been identified and secured. They have indicated that there is no evidence that their commercial products were affected by this incident. CrowdStrike emphasized that the attack vector involved a force-push of modified entries due to the way workflows reference actions by tag.
Organizations using Trivy in CI/CD pipelines are advised to avoid the affected versions and treat any recent executions as potentially compromised. This incident underscores the persistent risks associated with supply chain attacks and the importance of maintaining rigorous security practices.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
