Cybersecurity experts have uncovered a major escalation in the ongoing Trivy supply chain attack, with malicious Docker images distributing an infostealer, triggering a self-propagating worm, and deploying destructive Kubernetes wipers.
The vulnerability first surfaced after compromised versions of the popular open-source vulnerability scanner Trivy, maintained by Aqua Security, appeared on Docker Hub. Versions 0.69.4, 0.69.5, and 0.69.6 were identified as malicious and have since been removed. The last verified safe release is 0.69.3.
Security researcher Philipp Burckhardt from Socket explained, “The newly pushed 0.69.5 and 0.69.6 images contained indicators of compromise linked to TeamPCP’s infostealer campaign and had no corresponding GitHub releases or tags.”
The attackers leveraged a compromised credential to inject a credential-stealing trojan into Trivy and two associated GitHub Actions: aquasecurity/trivy-action and aquasecurity/setup-trivy. This compromise has had far-reaching consequences, including the contamination of several npm packages with the self-propagating CanisterWorm, attributed to the threat actor known as TeamPCP.
Investigations by OpenSourceMalware revealed that TeamPCP also defaced 44 internal repositories within Aqua Security’s “aquasec-com” GitHub organization. Repository names were prefixed with “tpcp-docs-,” descriptions were altered to “TeamPCP Owns Aqua Security,” and all repositories were made publicly accessible. Notably, this account is separate from Aqua Security’s main open-source organization, “aquasecurity,” which hosts Trivy and its GitHub Actions.
The attack was executed within an extremely short window on March 22, 2026, from 20:31:07 to 20:32:26 UTC, using a compromised service account, Argon-DevOps-Mgt. According to security researcher Paul McCarty, this single account bridges both GitHub organizations, granting attackers extensive write and admin access.
TeamPCP’s tactics demonstrate an alarming evolution in cloud-targeted attacks. Beyond credential theft, the group has deployed wiper malware capable of wiping entire Kubernetes clusters, particularly in Iran, while installing the CanisterWorm backdoor on other systems. Aikido security researcher Charlie Eriksen detailed that Iranian nodes running Kubernetes are wiped and force-rebooted, while non-Iranian systems receive the worm as a persistent systemd service. Non-Kubernetes hosts in Iran are vulnerable to destructive shell commands.
Cybersecurity teams are urged to immediately audit Trivy usage within CI/CD pipelines, avoid deploying affected versions, and assume that any recent runs of the compromised images may have been exploited. OpenSourceMalware emphasized the long-lasting impact of supply chain attacks, noting that credentials stolen months ago were weaponized to compromise critical internal repositories.
Aqua Security confirmed in a March 23, 2026 update that the investigation is ongoing, with no evidence indicating commercial product compromise. CrowdStrike advised developers to pin GitHub Actions to specific commit SHAs rather than tags and to monitor CI/CD runners as rigorously as production infrastructure.
This incident highlights the growing sophistication of supply chain and cloud-native attacks, targeting even security vendors themselves.
