Trivy Supply Chain Attack Expands With New Compromised Docker Images
The Trivy vulnerability scanner supply chain attack has escalated with two additional malicious Docker images, 0.69.5 and 0.69.6, both containing the TeamPCP infostealer, as Aqua Security confirms ongoing repository tampering.
The supply chain attack against Aqua Security's Trivy vulnerability scanner has expanded significantly, with security researchers identifying two new compromised Docker images uploaded to Docker Hub on March 22, 2026. The malicious images, tagged 0.69.5 and 0.69.6, both contain the TeamPCP infostealer previously observed in the initial breach of version 0.69.4 on March 19. The attack, which began when threat actors compromised official releases and GitHub Actions, has now broadened to include additional artifacts distributed through Docker Hub after attackers gained access via a GitHub Actions compromise.
According to a new analysis published on March 22 by Socket researchers, both newly identified images contain indicators of compromise (IOC) associated with the TeamPCP infostealer. The latest tag currently points to version 0.69.6, which is also confirmed to be compromised. On Monday, March 23, Aqua Security published an update confirming the team identified additional suspicious activity on Sunday, March 22, involving unauthorized changes and repository tampering. "Based on our current understanding, this activity is consistent with the attacker's previously observed behavior," the Aqua security update stated.
The known status of affected versions now includes multiple versions. Version 0.69.3 remains the last known clean release. Version 0.69.4 was the initial compromised release and has been removed. Versions 0.69.5 and 0.69.6 were later identified as compromised images. The malicious binaries contained typosquatted command-and-control (C2) domains, exfiltration files, and references to attacker-controlled repositories used during the campaign. Security teams warned that Docker tags are not immutable and should not be relied upon for integrity verification.
The incident appears to have escalated beyond Docker images. Researchers reported that an internal GitHub organization linked to Aqua Security was briefly exposed, with dozens of repositories renamed and made public during the attack. Investigators believe the attacker used a compromised service account token that had access to multiple GitHub organizations. The repositories were reportedly modified in a scripted burst lasting roughly two minutes, suggesting automated activity rather than manual intrusion. The compromised account is believed to have been previously exposed during the earlier GitHub Actions breach.
The attack has also been linked to broader malicious activity associated with the TeamPCP threat group. Investigators say the group has expanded its operations beyond credential theft to include worm propagation, ransomware deployment, cryptocurrency mining, and destructive attacks targeting Kubernetes environments. Socket warned that organizations using Trivy in CI/CD pipelines should review recent activity and treat recent scans as potentially compromised. There is no indication that Aqua Security's commercial products were impacted by this incident, including Trivy as delivered within the Aqua Platform.
This expanding supply chain attack underscores the growing risk to software development pipelines, where a single compromised dependency can cascade across thousands of organizations. The use of Docker Hub as a distribution vector for malicious images, combined with the compromise of GitHub Actions tokens, demonstrates a sophisticated multi-vector approach by the attackers. Organizations are advised to verify the integrity of any Trivy images pulled since March 19 and to audit CI/CD pipeline activity for signs of compromise.