Back to News
Cyber Attack

Trivy Supply Chain Hack Spreads Infostealer, Worm and Kubernetes Wiper

CyberSecurityWaala 4 days ago Mar 23, 2026
Trivy Supply Chain Hack Spreads Infostealer, Worm and Kubernetes Wiper

Security teams are dealing with a much bigger Trivy incident than a simple tool compromise. Researchers say the attack that hit the popular vulnerability scanner, which Aqua Security maintains, has now spread through Docker Hub, GitHub, npm, SSH, Docker APIs and even Kubernetes clusters, turning one stolen credential into a wide ranging campaign.

Malicious Trivy images appeared on Docker Hub

Socket security researcher Philipp Burckhardt said, “New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign.”

Socket also said the last known clean Trivy release on Docker Hub is 0.69.3, while the malicious 0.69.4, 0.69.5 and 0.69.6 images have now been removed from the container library.

In simple terms, a supply chain attack tries to poison trusted software that other teams already use. When attackers tamper with a scanner like Trivy, the bad code can reach development pipelines, build servers and container systems without raising immediate suspicion. That is what makes this case so dangerous. The tool itself is trusted, but the infected version can quietly ride along with normal developer work.

How the stolen data spread

The incident began with a supply chain compromise of Trivy and related GitHub Actions, including aquasecurity/trivy-action and aquasecurity/setup-trivy, after attackers used a stolen credential to push a credential stealer into trojanized versions of the tool.

OpenSourceMalware said the stolen data was then used to compromise dozens of npm packages and distribute a self propagating worm known as CanisterWorm. The group said the campaign is believed to be the work of a threat actor tracked as TeamPCP.

OpenSourceMalware also said the attackers defaced all 44 internal repositories tied to Aqua Security’s aquasec-com GitHub organization. According to the team, each repository was renamed with a tpcp-docs- prefix, all descriptions were changed to “TeamPCP Owns Aqua Security,” and the repositories were exposed publicly. The changes were carried out in a scripted two minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026.

Security researcher Paul McCarty said GitHub Events API data points to a compromised service account token, likely stolen during the earlier Trivy GitHub Actions compromise, as the entry point for the defacement. He described Argon-DevOps-Mgt as a service or bot account with GitHub ID 139343333, created on 2023-07-12, that bridges both GitHub organizations. “One compromised token for this account gives the attacker write/admin access to both organizations,” McCarty added.

From theft to destruction

Researchers say TeamPCP has also kept improving its malware. The group has built a reputation for targeting cloud infrastructure and exposed services, including Docker APIs, Kubernetes clusters, Ray dashboards and Redis servers, with the goal of stealing data, deploying ransomware, extortion and even cryptocurrency mining.

A newer payload tied to the same actor goes further by spreading through SSH using stolen keys and by abusing exposed Docker APIs on port 2375 across the local subnet.

Aikido security researcher Charlie Eriksen said the latest payload goes beyond credential theft and can wipe whole Kubernetes clusters located in Iran. “On Kubernetes: deploys privileged DaemonSets across every node, including control plane,” Eriksen said. “Iranian nodes get wiped and force rebooted via a container named ‘kamikaze.’ Non Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non K8s Iranian hosts get ‘rm -rf / –no-preserve-root.'”

The message for defenders is clear. OpenSourceMalware said the compromise shows the long tail of supply chain attacks, where a credential stolen months earlier can still be used today to reach fresh victims. Organizations should review where Trivy is used in CI/CD pipelines, avoid the affected versions, and treat any recent Trivy execution as potentially compromised. Teams should also look for suspicious GitHub repository changes, unusual service account activity and signs of Docker, Kubernetes or SSH abuse.

For now, the campaign shows how a single weak point can move from a developer tool to an infostealer, then to a worm, and finally to a wiper. That escalation is why security researchers are urging companies to audit trusted tooling just as carefully as they inspect public facing systems.

#Cybersecurity #Trivy #DockerHub #SupplyChainAttack #Kubernetes #Infostealer

#Botnet #Data Exfiltration