The cybersecurity landscape shifted on March 25, 2026, as researchers confirmed that the Trivy supply chain attack had expanded far beyond its initial GitHub Actions compromise, with malicious Docker images distributing a potent infostealer across thousands of developer environments worldwide. The incident underscores how a single credential compromise can cascade through the modern software supply chain with devastating efficiency.
The Exploit Mechanics
The attack began with the compromise of an open-source vulnerability scanner maintained by Aqua Security. Threat actors operating under the moniker TeamPCP leveraged a stolen credential to push trojanized versions of the scanner to Docker Hub, the world’s largest container image registry. The last known clean release, version 0.69.3, was followed by three malicious versions: 0.69.4, 0.69.5, and 0.69.6. Each contained the TeamPCP infostealer, a credential-stealing payload designed to harvest authentication tokens, SSH keys, and cloud credentials from developer machines.
Socket security researcher Philipp Burckhardt confirmed that versions 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags—a critical red flag that indicated the Docker Hub publishing pipeline had been compromised independently of the source code repository. Both images contained indicators of compromise consistent with the same TeamPCP infostealer observed in earlier stages of the campaign.
The malicious images operated silently within CI/CD pipelines, exfiltrating credentials from build environments that typically have elevated access to production systems. Because the scanner is widely used in security-conscious organizations—including those in the cryptocurrency and Web3 space—the blast radius extended to teams that had specifically adopted the tool to improve their security posture.
Affected Systems
The downstream impact proved severe. Using credentials stolen through the initial compromise, the attackers expanded their reach to dozens of npm packages, distributing a self-propagating worm dubbed CanisterWorm. This worm could spread autonomously across interconnected development environments, making remediation particularly challenging.
In a dramatic escalation, TeamPCP defaced all 44 internal repositories within Aqua Security’s “aquasec-com” GitHub organization. The defacement occurred in a scripted two-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, with each repository renamed with a “tpcp-docs-” prefix and descriptions set to “TeamPCP Owns Aqua Security.” Forensic analysis of the GitHub Events API traced the attack to a compromised “Argon-DevOps-Mgt” service account—a token likely stolen during the prior GitHub Actions compromise.
The “aquasec-com” organization contained proprietary source code for Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases. While distinct from the public “aquasecurity” organization that hosts the open-source scanner, the breach exposed internal development infrastructure and potentially sensitive operational details.
The Mitigation Strategy
Organizations using the affected scanner versions must take immediate action. Security teams should verify that all container images are pinned to version 0.69.3 or earlier, rotate all credentials that were accessible from CI/CD pipelines using the compromised versions, and audit Docker Hub pull histories for any instances of versions 0.69.4 through 0.69.6.
The cryptocurrency sector faces particular risk. With Bitcoin trading at approximately $71,300 on March 25, 2026, and the total crypto market cap exceeding $2.1 trillion, the financial incentives for attackers targeting developer infrastructure have never been higher. Web3 development teams should assume that any credentials used in build pipelines during the exposure window are compromised and rotate them immediately.
Lessons Learned
The Trivy incident reinforces several critical principles for supply chain security. First, service accounts with broad permissions represent high-value targets that require additional protections including IP restrictions, short-lived tokens, and monitoring for anomalous access patterns. Second, the gap between source code integrity and distribution channel integrity can be exploited independently—organizations must secure both their repositories and their package registries. Third, the speed of the defacement operation—44 repositories in under two minutes—demonstrates that attackers are using automation to maximize impact before defenders can respond.
User Action Required
Developers and security teams should immediately verify their Trivy installations, check Docker Hub pull logs for compromised versions, rotate all potentially exposed credentials, and implement image signing and verification for all third-party container images. For cryptocurrency projects, this includes wallet private keys, API keys for exchange accounts, and smart contract deployment credentials that may have been accessible from affected build environments. The malicious images have been removed from Docker Hub, but local caches and mirror registries may still contain compromised versions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
targeting the security scanner itself is next level irony. its like poisoning the food inspector instead of the food
This Trivy compromise is a nightmare scenario for CI/CD pipelines. As someone who works on DeFi integrations, the idea of an infostealer sitting in a container image used for security scanning is peak irony. We need better attestation for Docker images because trusting tags is clearly not enough anymore. TeamPCP is getting way too sophisticated for the average dev to keep up.
Alex is right about attestation. sigstore and cosign exist for exactly this reason. no excuse for teams pulling unverified images in 2026
I don’t code myself but I follow these security updates closely to see which projects might be at risk. If the developers’ environments are compromised, then the whole protocol’s integrity is basically gone. It’s crazy how a simple Docker pull can lead to a full-blown drainer attack. Stay vigilant everyone, security is a full-time job in this industry!
This is exactly why I’ve moved my entire workflow to Nix and avoid Docker Hub for anything mission-critical. The centralization of image registries is a single point of failure that hackers are clearly exploiting now. TeamPCP’s infostealer is nasty, but the real issue is our reliance on these massive, opaque platforms. Decentralize your build process or get rekt.
Really helpful breakdown of the TeamPCP tactics. I’ve been hearing rumors about the Trivy issue in some Discord circles but this confirms the worst. It’s scary how they target the very tools we use to stay safe. Definitely sharing this with my team so we can audit our local images and clear out anything suspicious before the next sprint starts.
Elena sharing with her team is the right move. incidents like this only get contained when the info spreads faster than the malware