Cybersecurity researchers have uncovered malicious artifacts distributed by way of Docker Hub following the Trivy provide chain assault, highlighting the widening blast radius throughout developer environments.
The final identified clear launch of Trivy on Docker Hub is 0.69.3. The malicious variations 0.69.4, 0.69.5, and 0.69.6 have since been faraway from the container picture library.
“New picture tags 0.69.5 and 0.69.6 have been pushed on March 22 with out corresponding GitHub releases or tags. Each photos comprise indicators of compromise related to the identical TeamPCP infostealer noticed in earlier levels of this marketing campaign,” Socket security researcher Philipp Burckhardt stated.
The event comes within the wake a provide chain compromise of Trivy, a preferred open-source vulnerability scanner maintained by Aqua Safety, permitting the menace actors to leverage a compromised credential to push a credential stealer inside trojanized variations of the instrument and two associated GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy.”
The assault has had downstream impacts, with the attackers leveraging the stolen knowledge to compromise dozens of npm packages to distribute a self-propagating worm often called CanisterWorm. The incident is believed to be the work of a menace actor tracked as TeamPCP.
In accordance with the OpenSourceMalware crew, the attackers have defaced all 44 inner repositories related to Aqua Safety’s “aquasec-com” GitHub group by renaming every of them with a “tpcp-docs-” prefix, setting all descriptions to “TeamPCP Owns Aqua Safety,” and exposing them publicly.
All of the repositories are stated to have been modified in a scripted 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. It has been assessed with excessive confidence that the menace actor leveraged a compromised “Argon-DevOps-Mgt” service account for this function.
“Our forensic evaluation of the GitHub Occasions API factors to a compromised service account token — probably stolen throughout TeamPCP’s prior Trivy GitHub Actions compromise — because the assault vector,” security researcher Paul McCarty stated. “This can be a service/bot account (GitHub ID 139343333, created 2023-07-12) with a crucial property: it bridges each GitHub orgs.”
“One compromised token for this account offers the attacker write/admin entry to each organizations,” McCarty added.
The event is the most recent escalation from a menace actor that is has constructed a fame for concentrating on cloud infrastructures, whereas progressively constructing capabilities to systemically uncovered Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal knowledge, deploy ransomware, conduct extortion, and mine cryptocurrency.
Their rising sophistication is finest exemplified by the emergence of a brand new wiper malware that spreads by way of SSH by way of stolen keys and exploits uncovered Docker APIs on port 2375 throughout the native subnet.
A brand new payload attributed to TeamPCP has been discovered to transcend credential theft to wiping complete Kubernetes (K8s) clusters situated in Iran. The shell script makes use of the identical ICP canister linked to CanisterWorm after which runs checks to establish Iranian programs.
“On Kubernetes: deploys privileged DaemonSets throughout each node, together with management airplane,” Aikido security researcher Charlie Eriksen stated. “Iranian nodes get wiped and force-rebooted by way of a container named ‘kamikaze.’ Non-Iranian nodes get the CanisterWorm backdoor put in as a systemd service. Non-K8s Iranian hosts get ‘rm -rf / –no-preserve-root.'”
Given the continuing nature of the assault, it is crucial that organizations assessment their use of Trivy in CI/CD pipelines, keep away from utilizing affected variations, and deal with any latest executions as probably compromised.
“This compromise demonstrates the lengthy tail of provide chain assaults,” OpenSourceMalware stated. “A credential harvested in the course of the Trivy GitHub Actions compromise months in the past was weaponized at present to deface a whole inner GitHub group. The Argon-DevOps-Mgt service account — a single bot account bridging two orgs with a long-lived PAT — was the weak hyperlink.”
“From cloud exploitation to provide chain worms to Kubernetes wipers, they’re constructing functionality and concentrating on the security vendor ecosystem itself. The irony of a cloud security firm being compromised by a cloud-native menace actor shouldn’t be misplaced on the business.
