# Trivy supply chain attack spreads: Docker Hub, GitHub, and Kubernetes all affected

## Overview

Cybersecurity researchers have discovered more malicious artifacts on Docker Hub related to a supply chain attack targeting the vulnerability scanner Trivy. This incident not only involves malware distribution but also extends to **CI/CD pipelines**, **internal GitHub organizations**, and **Kubernetes** infrastructure, indicating a serious level of spread. The last confirmed safe version of Trivy is 0.69.3. Versions:

*   0.69.4 (removed)
    
*   0.69.5
    
*   0.69.6
    

all contain malware and are no longer safe to use.

## Docker Hub exploited to distribute malware

The malicious Trivy images (0.69.5, 0.69.6) were pushed to Docker Hub without corresponding releases on GitHub, indicating clear signs of a breach.

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/35b23a86-a6ce-4d61-b95f-e392a7659bac.png align="center")

Analysis shows these images contain:

*   Fake C2 domain: **scan.aquasecurtiy.org** (typosquatting)
    
*   File exfiltration: payload.enc, tpcp.tar.gz
    
*   Link to GitHub repo backdoor: **tpcp-docs-\***
    

Notably, even though these images have been removed, they still persist through cache/mirror (e.g., mirror.gcr.io), causing many pipelines to inadvertently pull the malicious version.

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/d8e1655c-49c0-433f-982c-ea108a8c7a98.png align="center")

## **Nguồn gốc: Tấn công GitHub Actions của Trivy**

The attack originated from:

*   The attacker took over Trivy's GitHub Actions
    
*   Injected credential-stealing code into:
    
    *   aquasecurity/trivy-action
        
    *   aquasecurity/setup-trivy
        

This payload is designed to:

*   Collect GitHub tokens
    
*   Obtain SSH keys
    
*   Extract cloud credentials
    
*   Gather environment variables from CI runners
    

## Escalation: From token theft to taking over GitHub organizations

A significant escalation step was the attacker using the stolen token to take over the internal GitHub organization aquasec-com.

Consequences:

*   44 repositories were:
    
    *   Rename en masse with the prefix tpcp-docs-
        
    *   Change description to: "TeamPCP Owns Aqua Security"
        
    *   Make all public
        

Notably:

The entire action took place in about 2 minutes (20:31 → 20:32 UTC, 03/22/2026) → proving:

*   The attack was fully automated (scripted via GitHub API)
    
*   Thoroughly prepared in advance.
    

## Core weakness: Service account was compromised

The trace origin shows:

*   Account was compromised: **Argon-DevOps-Mgt**
    

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/8d408923-54a4-4ce1-9e32-f9b8fefee803.png align="center")

*   This is a service account using a long-term token (PAT)
    
*   Has access to both organizations:
    
    *   **aquasecurity (public)**
        
    *   **aquasec-com (internal)**
        

\=> Just one leaked token can lead to the entire system being compromised.

## Signs of reconnaissance before the attack

7 hours before the defacement:

*   Attacker created and deleted a "ghost" branch.: **update-plugin-links-v0.218.2**
    
*   No workflow triggered
    
*   No actual release exists
    

\=> This was a test of the token to check access rights without drawing attention.

## Expansion: Worm, npm packages, and wiper malware

After obtaining the credential:

**1\. Spread worm (CanisterWorm)**

*   Infects through npm packages
    
*   Spreads within the dev ecosystem
    
*   Uses ICP (Internet Computer) as C2
    

**2\. Wiper malware “kamikaze”**

Payload mới nguy hiểm hơn:

*   Main target: Kubernetes clusters (especially in Iran)
    
*   Behavior:
    
    *   Deploy DaemonSet across the entire cluster
        
    *   Iran Node:
        
        *   Wipe completely (rm -rf /)
            
        *   Force reboot
            
    *   Other Nodes: Install backdoor (systemd service)
        

3\. Attack cloud infrastructure

TeamPCP also:

*   Exploit Docker API (port 2375)
    
*   Attack Redis, Ray dashboard
    
*   Use a stolen SSH key
    
*   Deploy:
    
    *   Cryptomining Ransomware
        
    *   Data exfiltration
        

## Threat Actor: TeamPCP

**TeamPCP** (aka DeadCatx3, PCPcat, ShellForce) is a cloud-native attack group with increasingly advanced capabilities.

Key features:

*   Specializes in:
    
    *   Kubernetes
        
    *   Docker
        
    *   CI/CD pipelines
        
*   Pioneer: Worm uses ICP as C2
    
*   Tactics:
    
    *   Supply chain attack
        
    *   Credential harvesting
        
    *   Large-scale automation
        

## Scope of impact

*   Not only the official image is affected.
    
*   Images:
    
    *   CI/CD rebuild from Trivy
        
    *   Fork / derivative
        

\=> May have indirectly infected with malware

## Recommendations

FPT Threat Intelligence provides the following recommendations that must be implemented immediately:

*   Do not use Trivy versions above 0.69.3
    
*   Rotate all:
    
    *   GitHub tokens
        
    *   SSH keys
        
    *   Cloud credentials
        
*   Check CI/CD runners:
    
    *   /tmp/pglog
        
    *   Connect to ICP domain
        
*   More secure configuration
    
    *   Pin GitHub Actions using commit SHA (avoid using tags)
        
    *   Use short-lived tokens
        
    *   Apply least privilege
        
    *   Monitor pipeline like production
        
*   Check the system
    
    *   Audit all:
        
        *   CI/CD pipelines
            
        *   Recently pulled Docker images
            
    *   Check:
        
        *   Kubernetes clusters
            
        *   Docker API public (port 2375)
            

## Conclusion

This is a prime example of a **"long-tail supply chain attack"**:

*   A previously stolen credential
    
*   Reused for:
    
    *   Take over GitHub org
        
    *   Distribute malware
        
    *   Attack cloud infrastructure
        

This shows that the biggest weakness isn't a technical vulnerability, but rather:

> Service account with overly broad permissions + long-lived token

## Reference

*   [https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise](https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise)
    
*   [https://socket.dev/blog/trivy-docker-images-compromised](https://socket.dev/blog/trivy-docker-images-compromised)
    
*   [https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html](https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html)
