Trivy Supply Chain Attack Spreads via Compromised Docker Images
▼ Summary
– Threat actors compromised the Trivy vulnerability scanner version 0.69.4 on March 19, 2026, injecting credential-stealing malware into official releases.
– Researchers later identified additional compromised Docker images (tags 0.69.5 and 0.69.6) uploaded on March 22, which contained indicators of the TeamPCP infostealer.
– The attackers gained broader access, briefly exposing an internal Aqua Security GitHub organization where dozens of repositories were renamed and made public.
– The linked threat group, TeamPCP, has expanded its operations to include activities like ransomware deployment and attacks on Kubernetes environments.
– Aqua Security confirmed version 0.69.3 as the last clean release and stated its commercial products, including the Aqua Platform version of Trivy, were not impacted.
The Trivy supply chain attack has escalated, with newly discovered malicious Docker images now circulating. Security researchers have identified additional compromised versions of the popular vulnerability scanner, broadening the threat to development and continuous integration pipelines.
On March 19, attackers successfully infiltrated the official release of Trivy version 0.69.4, embedding malware designed to steal credentials. Following this initial breach, further investigation by the security firm Socket revealed that the threat actors distributed more malicious artifacts via Docker Hub. These new images, tagged as versions 0.69.5 and 0.69.6, were uploaded on March 22. Notably, these tags did not correspond to any official GitHub releases, a significant red flag.
Analysis confirmed these images contain the same indicators of compromise linked to the TeamPCP infostealer malware, which was central to the original campaign. The latest available tag, 0.69.6, is confirmed as malicious. In a statement on March 23, Aqua Security, Trivy’s developer, acknowledged identifying further suspicious activity involving unauthorized repository changes on March 22, behavior consistent with the known attacker’s methods.
The scope of compromised software is now clear. Version 0.69.3 remains the last known safe release. The initially compromised version 0.69.4 has been removed from distribution, but the newly identified 0.69.5 and 0.69.6 are also affected. These malicious binaries contained typosquatted command-and-control domains and files for data exfiltration, pointing to repositories controlled by the attackers. Security teams emphasize that Docker tags are not immutable and should never be solely trusted for verifying integrity.
The attack’s impact appears to extend beyond Docker. Researchers reported that an internal GitHub organization connected to Aqua Security was briefly exposed during the incident. Dozens of repositories were rapidly renamed and made public in a scripted, two-minute burst, suggesting automated activity powered by a compromised service account token. This token is believed to have been exposed during the earlier GitHub Actions breach that enabled the initial intrusion.
This campaign is linked to the broader operations of the TeamPCP threat group, which has expanded from simple credential theft to more aggressive tactics. Their current activities reportedly include worm propagation, ransomware deployment, cryptocurrency mining, and destructive attacks aimed at Kubernetes environments. Socket advises any organization using Trivy in its CI/CD pipelines to conduct an immediate review of recent activity and assume recent vulnerability scans may be tainted.
Aqua Security has clarified that its commercial products, including the Trivy scanner as delivered within its proprietary Aqua Platform, show no signs of compromise from this incident. The threat is isolated to the open-source versions distributed through public channels.
(Source: Infosecurity Magazine)
