Trivy supply chain attack spreads: Docker Hub, GitHub, and Kubernetes all affected

Overview

Cybersecurity researchers have discovered more malicious artifacts on Docker Hub related to a supply chain attack targeting the vulnerability scanner Trivy. This incident not only involves malware distribution but also extends to CI/CD pipelines, internal GitHub organizations, and Kubernetes infrastructure, indicating a serious level of spread. The last confirmed safe version of Trivy is 0.69.3. Versions:

• 0.69.4 (removed)

• 0.69.5

• 0.69.6

all contain malware and are no longer safe to use.

Docker Hub exploited to distribute malware

The malicious Trivy images (0.69.5, 0.69.6) were pushed to Docker Hub without corresponding releases on GitHub, indicating clear signs of a breach.

Analysis shows these images contain:

• Fake C2 domain: scan.aquasecurtiy.org (typosquatting)

• File exfiltration: payload.enc, tpcp.tar.gz

• Link to GitHub repo backdoor: tpcp-docs-*

Notably, even though these images have been removed, they still persist through cache/mirror (e.g., mirror.gcr.io), causing many pipelines to inadvertently pull the malicious version.

Nguồn gốc: Tấn công GitHub Actions của Trivy

The attack originated from:

• The attacker took over Trivy's GitHub Actions

• Injected credential-stealing code into:

  • aquasecurity/trivy-action

  • aquasecurity/setup-trivy

This payload is designed to:

• Collect GitHub tokens

• Obtain SSH keys

• Extract cloud credentials

• Gather environment variables from CI runners

Escalation: From token theft to taking over GitHub organizations

A significant escalation step was the attacker using the stolen token to take over the internal GitHub organization aquasec-com.

Consequences:

• 44 repositories were:

  • Rename en masse with the prefix tpcp-docs-

  • Change description to: "TeamPCP Owns Aqua Security"

  • Make all public

Notably:

The entire action took place in about 2 minutes (20:31 → 20:32 UTC, 03/22/2026) → proving:

• The attack was fully automated (scripted via GitHub API)

• Thoroughly prepared in advance.

Core weakness: Service account was compromised

The trace origin shows:

• Account was compromised: Argon-DevOps-Mgt

• This is a service account using a long-term token (PAT)

• Has access to both organizations:

  • aquasecurity (public)

  • aquasec-com (internal)

=> Just one leaked token can lead to the entire system being compromised.

Signs of reconnaissance before the attack

7 hours before the defacement:

• Attacker created and deleted a "ghost" branch.: update-plugin-links-v0.218.2

• No workflow triggered

• No actual release exists

=> This was a test of the token to check access rights without drawing attention.

Expansion: Worm, npm packages, and wiper malware

After obtaining the credential:

1. Spread worm (CanisterWorm)

• Infects through npm packages

• Spreads within the dev ecosystem

• Uses ICP (Internet Computer) as C2

2. Wiper malware “kamikaze”

Payload mới nguy hiểm hơn:

• Main target: Kubernetes clusters (especially in Iran)

• Behavior:

  • Deploy DaemonSet across the entire cluster

  • Iran Node:

    • Wipe completely (rm -rf /)

    • Force reboot

  • Other Nodes: Install backdoor (systemd service)

3. Attack cloud infrastructure

TeamPCP also:

• Exploit Docker API (port 2375)

• Attack Redis, Ray dashboard

• Use a stolen SSH key

• Deploy:

  • Cryptomining Ransomware

  • Data exfiltration

Threat Actor: TeamPCP

TeamPCP (aka DeadCatx3, PCPcat, ShellForce) is a cloud-native attack group with increasingly advanced capabilities.

Key features:

• Specializes in:

  • Kubernetes

  • Docker

  • CI/CD pipelines

• Pioneer: Worm uses ICP as C2

• Tactics:

  • Supply chain attack

  • Credential harvesting

  • Large-scale automation

Scope of impact

• Not only the official image is affected.

• Images:

  • CI/CD rebuild from Trivy

  • Fork / derivative

=> May have indirectly infected with malware

Recommendations

FPT Threat Intelligence provides the following recommendations that must be implemented immediately:

• Do not use Trivy versions above 0.69.3

• Rotate all:

  • GitHub tokens

  • SSH keys

  • Cloud credentials

• Check CI/CD runners:

  • /tmp/pglog

  • Connect to ICP domain

• More secure configuration

  • Pin GitHub Actions using commit SHA (avoid using tags)

  • Use short-lived tokens

  • Apply least privilege

  • Monitor pipeline like production

• Check the system

  • Audit all:

    • CI/CD pipelines

    • Recently pulled Docker images

  • Check:

    • Kubernetes clusters

    • Docker API public (port 2375)

Conclusion

This is a prime example of a "long-tail supply chain attack":

• A previously stolen credential

• Reused for:

  • Take over GitHub org

  • Distribute malware

  • Attack cloud infrastructure

This shows that the biggest weakness isn't a technical vulnerability, but rather:

Service account with overly broad permissions + long-lived token

Reference

• https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise

• https://socket.dev/blog/trivy-docker-images-compromised

• https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html