Trivy Supply Chain Attack: Infostealer Propagation via Docker Hub and Kubernetes Wiper Deployment
In a significant cybersecurity incident, researchers have identified malicious artifacts disseminated through Docker Hub, stemming from a supply chain attack on Trivy, a widely-used open-source vulnerability scanner maintained by Aqua Security. This breach has led to the distribution of infostealer malware and the deployment of a Kubernetes wiper, underscoring the escalating threats within developer environments.
Discovery of Malicious Docker Images
The last verified clean release of Trivy on Docker Hub is version 0.69.3. Subsequent versions—0.69.4, 0.69.5, and 0.69.6—were identified as compromised and have been removed from the platform. Notably, versions 0.69.5 and 0.69.6 were uploaded on March 22 without corresponding releases or tags on GitHub. These images contained indicators of compromise linked to the TeamPCP infostealer, consistent with earlier stages of this campaign.
Supply Chain Compromise Details
The attack exploited a compromised credential to inject a credential-stealing component into trojanized versions of Trivy and two associated GitHub Actions: aquasecurity/trivy-action and aquasecurity/setup-trivy. This breach has had cascading effects, with the attackers utilizing the stolen data to compromise numerous npm packages, facilitating the spread of a self-propagating worm known as CanisterWorm. The threat actor behind this campaign is identified as TeamPCP.
Defacement of Aqua Security Repositories
Further analysis revealed that all 44 internal repositories within Aqua Security’s aquasec-com GitHub organization were defaced. The attackers renamed each repository with a tpcp-docs- prefix, altered descriptions to state TeamPCP Owns Aqua Security, and made them publicly accessible. It’s important to note that aquasec-com is distinct from Aqua Security’s primary GitHub organization, aquasecurity, which hosts the affected Trivy scanner and other open-source projects. The compromised organization contains proprietary source code, including internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases.
Attack Execution and Methodology
The defacement occurred in a rapid, scripted sequence lasting approximately two minutes between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. Investigations suggest that the attackers leveraged a compromised Argon-DevOps-Mgt service account for this operation. Forensic analysis of the GitHub Events API indicates that a stolen service account token—likely obtained during TeamPCP’s prior compromise of Trivy GitHub Actions—served as the attack vector. This service account, created on July 12, 2023, possesses critical access, bridging both GitHub organizations. A single compromised token for this account granted the attackers write and administrative access to both organizations.
Escalation of Threat Actor Capabilities
This incident marks a significant escalation in TeamPCP’s capabilities. The group has a history of targeting cloud infrastructures and has progressively developed methods to exploit exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. Their activities encompass data theft, ransomware deployment, extortion, and cryptocurrency mining.
Introduction of Kubernetes Wiper Malware
A particularly concerning development is the emergence of a new wiper malware attributed to TeamPCP. This malware propagates through SSH using stolen keys and exploits exposed Docker APIs on port 2375 across local subnets. The payload extends beyond credential theft, actively wiping entire Kubernetes (K8s) clusters, with observed incidents targeting clusters located in Iran. The shell script associated with this payload utilizes the same ICP canister linked to CanisterWorm and performs checks to identify Iranian IP addresses before executing the wiper functionality.
Implications and Recommendations
This attack underscores the critical importance of securing supply chains and the potential for widespread impact when trusted tools are compromised. Developers and organizations are urged to:
– Verify Integrity of Tools: Regularly confirm the authenticity and integrity of tools and dependencies, especially those sourced from public repositories.
– Monitor for Unauthorized Changes: Implement monitoring mechanisms to detect unauthorized modifications to repositories and artifacts.
– Secure Credentials: Employ robust credential management practices, including the use of multi-factor authentication and regular rotation of access tokens.
– Limit Service Account Privileges: Restrict service account permissions to the minimum necessary and monitor their usage for anomalies.
– Enhance Incident Response Plans: Develop and regularly update incident response plans to address potential supply chain attacks and associated threats.
By adopting these measures, organizations can bolster their defenses against sophisticated supply chain attacks and mitigate the risks posed by advanced threat actors like TeamPCP.
