Trivy supply‑chain attack spreads to Docker, GitHub repos

The Trivy supply-chain incident has taken another turn as the same threat actors broaden their reach beyond Aqua Security’s own repositories. After gaining initial footholds by compromising the Trivy build pipeline, the TeamPCP group appears to have extended its operations to both Docker Hub and Aqua Security’s GitHub organizations, leaving dozens of repositories exposed to tampering and the distribution of potentially malicious artifacts.

Initial activity tied to Trivy involved a breach of the GitHub build pipeline used to produce the Trivy scanner. That exposure enabled attackers to deploy credential-harvesting code, known in the chatter as the TeamPCP Cloud stealer, and to push compromised builds into the ecosystem. The broader objective seems to have been to insert malicious components into supply chains that would reach developers who rely on Trivy to detect vulnerabilities, misconfigurations, and exposed secrets.

Compounding the danger, researchers reported that new Docker image tags labeled 0.69.5 and 0.69.6 appeared on March 22 without accompanying GitHub releases or tags. These images, according to the analysis, carried indicators of compromise associated with the infostealer that had already been deployed in the earlier GitHub-based campaign. The discovery underscores a core risk in container ecosystems: Docker Hub tags are not immutable, and relying solely on tag names for integrity is insufficient. The last widely recognized Trivy release in circulation before these tags was 0.69.3, heightening concern about potential erosion of trust in the supply chain between published artifacts and their declared provenance.

Timeline details from Aqua Security indicate that on March 20 the company acknowledged that a threat actor had gained access to Aqua’s GitHub organization due to incomplete containment of a prior incident. While secrets and tokens were rotated, the process reportedly was not atomic, and attackers may have had visibility into refreshed tokens. This gap allowed the attackers to inject credential-harvesting capabilities into Trivy and to publish malicious tool versions that could bypass standard checks.

In response, Aqua Security moved quickly to publish safe, clean versions of Trivy on March 20 and enlisted the help of the incident-response firm Sygnia to conduct remediation and forensic work. Nevertheless, a follow-up update published on March 22 indicated that the same adversaries had re-established unauthorized access and executed further “unauthorized changes and repository tampering.” Despite these developments, Aqua asserted that Trivy itself was not impacted in its commercial products, noting that the forked integration pathway used for the commercial platform lagged behind the open-source release with a controlled integration process.

Independent malware intelligence platforms have provided additional context. OpenSourceMalware reports that TeamPCP gained access to Aqua Security’s aquasec-com GitHub organization—distinct from Aqua’s public aquasecurity repositories—through an automation workflow. The attackers allegedly added the prefix tpcp-docs- to all 44 repositories in that organization and altered repository descriptions to read “TeamPCP Owns Aqua Security.” They are believed to have accessed the environment via a service account named Argon-DevOps-Mgt, which possessed credentials tied to a Personal Access Token rather than a GitHub App. Because PATs can behave like passwords and often lack MFA protections, their misuse can grant broad permissions, especially when associated with automated workflows.

The attackers reportedly verified admin permissions by creating and then deleting a branch in a public Trivy plugin repository—an action that was executed with precise timing. OpenSourceMalware explains that the TeamPCP Cloud stealer likely harvested tokens and other sensitive data from CI runners, leaving tokens and keys exposed in the runner environment. IOCs (indicators of compromise) have been published to help defenders determine whether their environments have been touched by this supply-chain incident.

From Aqua Security’s point of view, there is no current evidence that Trivy used in their commercial offerings has been compromised. The company emphasizes that the commercial platform operates with a forked code path that runs on a controlled integration process, designed to mitigate the risk of cross-contamination from the open-source project. Still, the organization promised ongoing updates as new findings come to light and indicated that more forensic results would be shared in future briefings.

The open dialogue around this incident highlights several actionable takeaways for defenders and platform operators. First, the immutability of build artifacts and the integrity of container image tags demand more robust controls beyond tag names. Second, token lifecycle management—ensuring atomic rotations and MFA-protected service accounts for CI workflows—remains critical in reducing the blast radius of such intrusions. Third, the incident demonstrates the importance of continuous monitoring for unauthorized changes in both public and private repositories, and of rapid containment when first signs of a breach appear.

In this evolving situation, Aqua Security’s stance remains measured: acknowledge the breach, publish safe fixes, bring in expert help, and communicate forthcoming updates as investigations proceed. While Trivy’s commercial offerings have not shown signs of impact, the broader ecosystem should treat this as a cautionary tale about supply-chain risk, the fragility of automated pipelines, and the imperative of layered security controls across GitHub organizations, container registries, and the code that ties them together. The incident serves as a reminder that even well-regarded open-source tools can become vectors for broader compromises, and that vigilance must scale with the ecosystems that depend on them.