Recent cybersecurity investigations have identified malicious artifacts that infiltrated Docker Hub, stemming from the Trivy supply chain attack. This incident illustrates the expanding impact such breaches can have on developer environments, raising significant concerns for businesses leveraging open-source tools.
The last known untainted version of Trivy, a widely used open-source vulnerability scanner, was 0.69.3. However, subsequent versions 0.69.4, 0.69.5, and 0.69.6 have been found to contain malicious code and have since been purged from the Docker Hub repository.
Socket security researcher Philipp Burckhardt noted that the recently released image tags 0.69.5 and 0.69.6 appeared on March 22 without any linked GitHub releases or associated tags, embedding indicators of compromise related to the TeamPCP infostealer. This infostealer has previously been linked to other attacks, underscoring a particular method of operation among the threat actors.
This breach follows a supply chain compromise involving Trivy, orchestrated by Aqua Security. The attackers exploited a compromised credential to distribute a credential-stealing malware through trojanized versions of the tool and two related GitHub Actions: “aquasecurity/trivy-action” and “aquasecurity/setup-trivy.”
As a result of this attack, multiple npm packages have been compromised, enabling the spread of a self-propagating worm named CanisterWorm, allegedly orchestrated by the group identified as TeamPCP. This incident illustrates the real risk to countless users and organizations relying on vulnerable software components.
The OpenSourceMalware team revealed that the attackers defaced all 44 internal repositories linked to Aqua Security’s “aquasec-com” GitHub organization. Each repository was renamed with a “tpcp-docs-” prefix and their descriptions changed to “TeamPCP Owns Aqua Security,” thereby exposing proprietary source code to the public. These repositories contained critical information, including internal Trivy forks, CI/CD pipelines, and Kubernetes operators.
The attack’s execution occurred rapidly, with a scripted modification of the repositories that took place over just over two minutes on March 22, 2026. Analysis suggests that the attackers used a compromised service account, possibly taken during earlier breaches, to gain access to both GitHub organizations associated with Aqua Security.
Adding to the complexity, the recent developments highlight a notable escalation from TeamPCP, showcasing their growing capabilities in targeting cloud infrastructures. This includes exploiting Docker APIs, Kubernetes clusters, and employing new wiper malware to erase data, as illustrated by a new variant referred to as “kamikaze,” which specifically targets systems located in Iran.
Aqua Security has since initiated a detailed investigation into the incident, focusing on ensuring that all access points have been secured. Their efforts have been supported by the identification of the incident under the CVE identifier CVE-2026-33634, as the threat landscape continues to evolve.
The insights provided by researchers emphasize the importance of vigilance within CI/CD environments, particularly the necessity of reviewing dependencies and monitoring workflows. This situation serves as a critical reminder to organizations to ensure their supply chain security practices are robust and to treat every segment of their codebase with the utmost scrutiny.
The implications of this attack serve as a cautionary tale for businesses striving to protect their operations from evolving cyber threats. Understanding the tactics and techniques framed within the MITRE ATT&CK Matrix could be instrumental in enhancing defense mechanisms against potential supply chain vulnerabilities.