Malicious Docker Hub Artifacts Discovered After Trivy Supply Chain Attack

Cybersecurity researchers have identified malicious artifacts distributed through Docker Hub following the recent Trivy supply chain attack, raising fresh concerns about the widening impact on developer environments and CI/CD pipelines.

According to researchers, the last known clean release of Trivy available on Docker Hub was version 0.69.3. The malicious versions — 0.69.4, 0.69.5, and 0.69.6 — were later removed from the platform after being linked to indicators of compromise associated with the TeamPCP infostealer.

Security researcher Philipp Burckhardt stated that versions 0.69.5 and 0.69.6 were uploaded on March 22, 2026, without corresponding GitHub releases or tags, making the activity highly suspicious. Both images reportedly contained signs of compromise tied to the same malware family observed in earlier stages of the campaign.

Attack Linked to Earlier Trivy Supply Chain Compromise

The discovery follows a larger supply chain breach involving Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security. In that earlier compromise, threat actors allegedly used a stolen credential to distribute trojanized versions of the tool, as well as two related GitHub Actions: aquasecurity/trivy-action and aquasecurity/setup-trivy.

The incident has since created downstream effects. Researchers say the attackers used stolen data to compromise dozens of npm packages and spread a self-propagating worm known as CanisterWorm. The overall campaign is believed to be the work of a threat actor tracked as TeamPCP.

Aqua Security’s Internal GitHub Repositories Allegedly Defaced

According to the OpenSourceMalware team, the attackers also targeted Aqua Security’s internal GitHub organization, identified as aquasec-com. All 44 internal repositories in that organization were allegedly renamed with the prefix “tpcp-docs-”, given the description “TeamPCP Owns Aqua Security,” and then exposed publicly.

Researchers noted that the aquasec-com organization is separate from Aqua Security’s public-facing aquasecurity GitHub organization, which hosts Trivy and other open-source projects. However, the compromised internal organization reportedly contained proprietary source code, including internal Trivy forks, Tracee-related code, CI/CD pipelines, Kubernetes operators, and internal team knowledge bases.

The repository modifications were said to have occurred in a scripted burst lasting roughly two minutes, between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. Investigators believe the attacker may have used a compromised service account called Argon-DevOps-Mgt to carry out the operation.

Compromised Service Account May Have Bridged Two GitHub Organizations

Security researcher Paul McCarty said forensic analysis of the GitHub Events API strongly suggests that the attackers leveraged a stolen service account token, likely obtained during the earlier Trivy GitHub Actions compromise. The service account reportedly had a critical role: it linked both the internal aquasec-com and public aquasecurity GitHub organizations.

This meant that a single compromised token may have granted the attackers write or admin access to both organizations, significantly increasing the blast radius of the breach.

TeamPCP Expands Capabilities Beyond Credential Theft

Researchers say the latest developments reflect a broader escalation by TeamPCP, a threat actor already known for targeting cloud environments, exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. The group has been linked to campaigns involving data theft, ransomware deployment, extortion, and cryptocurrency mining.

Its growing sophistication is highlighted by the discovery of a new wiper malware that spreads via SSH using stolen keys and exploits exposed Docker APIs on port 2375 across local networks. Researchers also found a new payload attributed to TeamPCP that goes beyond data theft and instead targets Kubernetes clusters in Iran for destructive attacks.

According to Aikido Security researcher Charlie Eriksen, the malware deploys privileged DaemonSets across all nodes in a Kubernetes environment. Systems identified as Iranian are allegedly wiped and force-rebooted through a container named “kamikaze.” Non-Iranian nodes instead receive the CanisterWorm backdoor as a systemd service, while non-Kubernetes Iranian systems are reportedly hit with destructive commands that erase the host.

Organizations Urged to Review Trivy Usage

Because the campaign is still unfolding, security experts are urging organizations to immediately review how Trivy is being used in their CI/CD workflows, avoid the affected versions, and treat any recent execution of the compromised images as potentially unsafe.

Researchers said the incident demonstrates the long-tail impact of supply chain attacks, where credentials stolen in one breach can later be weaponized to target connected systems and organizations. In this case, the Argon-DevOps-Mgt bot account reportedly became the weak link that enabled attackers to jump across environments.

Aqua Security Responds

In an update shared on March 23, 2026, Aqua Security said its investigation remains active and is focused on confirming that all access paths have been identified and fully closed. The company also stated that there is no indication its commercial products were impacted by the incident.

Separately, CrowdStrike noted that the attack did not rely on especially novel tactics. According to the company, the attacker used existing write access to force-push tags to a malicious commit and took advantage of the fact that many workflows reference GitHub Actions by tag instead of commit SHA. CrowdStrike advised defenders to pin actions by commit SHA, closely monitor CI/CD runners, and treat pipeline code with the same security rigor as production infrastructure.

Conclusion

The discovery of malicious Docker Hub artifacts linked to the Trivy supply chain attack marks a serious escalation in a campaign that now appears to span container registries, GitHub organizations, npm packages, and Kubernetes environments. The incident underscores how a single compromised credential can trigger widespread downstream risk across the software supply chain.