Trivy supply-chain attack spreads to Docker, GitHub repos

Recorded: March 23, 2026, 7 p.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Trivy supply-chain attack spreads to Docker, GitHub repos

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityTrivy supply-chain attack spreads to Docker, GitHub repos

Trivy supply-chain attack spreads to Docker, GitHub repos

By Bill Toulas

March 23, 2026
01:40 PM
0

The TeamPCP hackers behind the Trivy supply-chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company’s GitHub organization to tamper with dozens of repositories.
This follows the threat actor compromising the GitHub build pipeline for Trivy, Aqua Security's scanner, to deliver infostealing malware in a supply-chain attack that extended to Docker Hub over the weekend.
Trivy has more than 33,800 stars on GitHub and is widely used for detecting vulnerabilities, misconfigurations, and exposed secrets across software artifacts and infrastructure.
Supply-chain security company Socket says in a report on Sunday that it identified compromised Trivy artifacts published to Docker Hub.
"New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags," Socket researchers say. According to their analysis, the two images contain indicators of compromise related to the infostealer that TeamPCP pushed after gaining access to Aqua Security's GitHub organization.
The researchers note that the last known Trivy release is 0.69.3 and warn that even if they did not see any evidence of older images or binaries being modified after publication, "Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity."
Breaching AquaSec's GitHub
On March 20, Aqua Security said that the threat actor gained access to the company's GitHub organization due to incomplete containment of a previous incident targeting the same tool at the beginning of the month.

"We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens," Aqua Security

This allowed the attacker to inject into Trivy credential-harvesting code (TeamPCP Cloud stealer) and publish malicious versions of the tool.
Aqua responded to this incident by publishing new, safe versions of Trivy on March 20 and engaging the incident response firm Sygnia to assist them with remediation and forensic investigation.
However, via an update published today, Aqua noted that it identified additional suspicious activity on March 22, indicating that the same threat actors have re-established unauthorized access, and performed “unauthorized changes and repository tampering.”
The company noted that, despite this new development, Trivy was not impacted at this time.
An analysis from OpenSourceMalware, a community-driven malware intelligence platform, explains that TeamPCP gained access to the aquasec-com GitHub organization, where Aqua Security hosts its proprietary code, separate from the company's aquasecurity GitHub organization for public repositories.
Using an automation script, it took the hackers about two minutes to add the prefix tpcp-docs- to all 44 repositories available in the company's GitHub organization and change all descriptions to read "TeamPCP Owns Aqua Security."
The researchers have high confidence that the attacker gained access by compromising a service account named Argon-DevOps-Mgt, which had access to both of Aqua Security's GitHub organizations.
According to OpenSourceMalware, the targeted service account authorized actions based on a Personal Access Token (PAT) of a standard user instead of a GitHub App.
The issue is that PAT authentication functions like a password and is valid for a longer period than the token of a GitHub App. Additionally, a service account is typically used for automated tasks and does not have multi-factor authentication (MFA) protection.
To test that the account had admin permissions for AquaSec's both public and private GitHub organizations, TeamPCP created a new update-plugin-links-v0.218.2 branch in the public aquasecurity/trivy-plugin-aqua repository, which they then deleted "at the exact same second."
The researchers believe that hackers obtained the PAT for the Argon-DevOps-Mgt service account using the TeamPCP Cloud stealer, which collects GitHub tokens, SSH keys, cloud credentials, and environment variables from CI runners.
"As a service account that triggers workflows on trivy-plugin-aqua, its token was present in the runner environment," OpenSourceMalware explains.
OpenSourceMalware has provided a set of indicators of compromise that can help defenders determine if their environments have been impacted by the supply-chain attack.
Aqua Security says that it has no evidence that the Trivy version used in its commercial products has been impacted. "By design, the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process."
However, the company promised to share updates as new details emerge and publish additional findings on Tuesday, at the end of the day.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Trivy vulnerability scanner breach pushed infostealer via GitHub ActionsGlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSXAppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript codeNew PhantomRaven NPM attack wave steals dev data via 88 packagesFBI warns of Handala hackers using Telegram in malware attacks

Docker
Docker Hub
Image
Malware
Open Source
Supply Chain
Supply Chain Attack
Trivy

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

Microsoft Azure Monitor alerts abused for callback phishing attacks

CISA orders feds to patch max-severity Cisco flaw by Sunday

Sponsor Posts

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

Secure your AI agents without sacrificing speed.

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The TeamPCP threat actor orchestrated a sophisticated supply-chain attack targeting Aqua Security’s Trivy vulnerability scanner, initiating a cascade of compromises that extended to Docker Hub and numerous GitHub repositories. This incident, detailed by Socket and OpenSourceMalware, highlights critical vulnerabilities in software artifact management and underscores the escalating risks associated with supply-chain security.

Initially, the attackers gained unauthorized access to Aqua Security’s GitHub organization through a compromised service account, Argon-DevOps-Mgt, which possessed elevated privileges within both the public and private GitHub organizations. This account, utilizing a Personal Access Token (PAT) instead of a GitHub App, lacked the security mitigations typically associated with service accounts, including multi-factor authentication (MFA). The attackers exploited this weakness, leveraging the TeamPCP Cloud stealer, which harvests sensitive data like GitHub tokens and credentials, to further their intrusion. They then utilized this access to inject malicious code into Trivy images, pushing compromised versions to Docker Hub. Through automated actions, they appended “tpcp-docs-” to 44 repositories, simultaneously altering descriptions to reflect TeamPCP ownership.

Following the initial breach, Aqua Security swiftly responded by publishing updated, safe versions of Trivy and engaging Sygnia for remediation. However, subsequent investigation revealed a renewed cyberattack, with TeamPCP regaining unauthorized access and further tampering with repositories. Despite Aqua Security’s actions, no impact was reported on the commercially deployed version of Trivy due to a deliberate lag in incorporating open-source changes through a controlled integration process.

OpenSourceMalware provided a comprehensive set of Indicators of Compromise (IOCs) to assist defenders in identifying and mitigating the impact of this attack. These IOCs centered on the compromised service account, the malicious image tags pushed to Docker Hub, and the specific repository modifications made by the attackers. The attackers’ method of gaining access - leveraging a vulnerable service account lacking MFA – illustrates a common and increasingly problematic security risk within DevOps environments. It’s a critical reminder that even seemingly automated systems can be exploited if basic security practices are not rigorously enforced.

The incident served as a stark reminder of the importance of immutable tags in Docker Hub and the need for organizations to verify the integrity of software artifacts. Aqua Security's experience underscores the potential damage from compromised build pipelines and exposes weaknesses in the oversight mechanisms surrounding open-source tools like Trivy. The breach also highlighted the vulnerability of service accounts, particularly those with broad access permissions, and reinforced the imperative of implementing robust MFA and granular access control policies within development and operation environments. The event triggered a wider awareness of supply-chain vulnerabilities within the software development lifecycle, prompting a renewed focus on security best practices and proactive monitoring strategies. The rapid response and subsequent updates by Aqua Security, coupled with the detailed analysis by OpenSourceMalware, offered valuable insights for the broader security community in understanding the attack vector and mitigating similar risks.