Cybersecurity researchers discovered malicious artifacts distributed via Docker Hub after the Trivy supply chain attack, highlighting the growing scope of the explosion across developer environments.
The latest known clean release of Trivy on Docker Hub is 0.69.3. Malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library.
“New image tags 0.69.5 and 0.69.6 were pushed on March 22nd without a corresponding GitHub release or tag. Both images contain indicators of compromise related to the same TeamPCP infostealer observed earlier in this campaign,” said Philipp Burckhardt, socket security researcher.
This development follows a supply chain breach of Trivy, a popular open source vulnerability scanner maintained by Aqua Security, that allows attackers to leverage compromised credentials to push a credential stealer into a trojanized version of the tool and two associated GitHub actions, ‘aquasecurity/trivy-action’ and ‘aquasecurity/setup-trivy’.
The attack also had downstream effects, with the attackers using the stolen data to compromise dozens of npm packages and distribute a self-propagating worm known as CanisterWorm. This incident is believed to be the work of a threat actor tracked as TeamPCP.
According to the OpenSourceMalware team, the attackers modified all 44 internal repositories associated with Aqua Security’s “aquasec-com” GitHub organization, renaming each repository with the “tpcp-docs-” prefix, setting all descriptions to “TeamPCP Owns Aqua Security” and making them publicly available.
All repositories were allegedly modified in a scripted two-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. There is high confidence that the attackers used the compromised ‘Argon-DevOps-Mgt’ service account for this purpose.
“Our forensic analysis of the GitHub Events API indicates that the attack vector is a compromised service account token, likely stolen during a previous Trivy GitHub Actions breach by TeamPCP,” said security researcher Paul McCarty. “This is a service/bot account (GitHub ID 139343333, created on July 12, 2023) with the important property of bridging both GitHub organizations.”
“One of the compromised tokens in this account gives the attacker write/administrative access to both organizations,” McCarty added.
This development is the latest escalation by threat actors who have built a reputation for targeting cloud infrastructure, while gradually building out the capabilities of systemically exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal data, deploy ransomware, perform extortion, and mine cryptocurrencies.
Its sophistication is best illustrated by the emergence of new wiper malware that spreads over SSH via stolen keys and exploits the Docker API exposed on port 2375 on local subnets.
A new payload attributed to TeamPCP went beyond credential theft and was found to wipe entire Kubernetes (K8s) clusters located in Iran. The shell script uses the same ICP canister linked to CanisterWorm and performs checks to identify Iranian systems.
“On Kubernetes: Deploy a privileged DaemonSet on every node, including the control plane,” said Charlie Eriksen, a security researcher at Aikido. “Iranian nodes will be wiped and forced to restart via a container named ‘kamikaze’. On non-Iranian nodes, the CanisterWorm backdoor is installed as a systemd service. Non-K8s Iranian hosts get “rm -rf / –no-preserve-root”. ”
Given the nature of the ongoing attack, it is imperative that organizations review their use of Trivy in their CI/CD pipelines, avoid using affected versions, and treat recent runs as potentially compromised.
“This breach illustrates the long tail of supply chain attacks,” OpenSourceMalware said. “Credentials collected in the Trivy GitHub Actions breach several months ago were weaponized today to compromise an entire internal GitHub organization. The Argon-DevOps-Mgt service account, a single bot account that bridges the two organizations with a long-lived PAT, was the weak link.”
“From cloud exploits to supply chain worms to Kubernetes wipers, they are building capabilities and targeting the security vendor ecosystem itself. The irony of cloud security companies being compromised by cloud-native threat actors should not be lost on the industry.
Source link
