The TeamPCP hackers behind the Trivy supply-chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company’s GitHub organization to tamper with dozens of repositories.
This follows the threat actor compromising the GitHub build pipeline for Trivy, Aqua Security’s scanner, to deliver infostealing malware in a supply-chain attack that extended to Docker Hub over the weekend.
Trivy has more than 33,800 stars on GitHub and is widely used for detecting vulnerabilities, misconfigurations, and exposed secrets across software artifacts and infrastructure.
Supply-chain security company Socket says in a report on Sunday that it identified compromised Trivy artifacts published to Docker Hub.
“New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags,” Socket researchers say. According to their analysis, the two images contain indicators of compromise related to the infostealer that TeamPCP pushed after gaining access to Aqua Security’s GitHub organization.
The researchers note that the last known Trivy release is 0.69.3 and warn that even if they did not see any evidence of older images or binaries being modified after publication, “Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity.”
Breaching AquaSec’s GitHub
On March 20, Aqua Security said that the threat actor gained access to the company’s GitHub organization due to incomplete containment of a previous incident targeting the same tool at the beginning of the month.
“We rotated secrets and tokens, but the process wasn’t atomic and attackers may have been privy to refreshed tokens,” Aqua Security
This allowed the attacker to inject into Trivy credential-harvesting code (TeamPCP Cloud stealer) and publish malicious versions of the tool.
Aqua responded to this incident by publishing new, safe versions of Trivy on March 20 and engaging the incident response firm Sygnia to assist them with remediation and forensic investigation.
However, via an update published today, Aqua noted that it identified additional suspicious activity on March 22, indicating that the same threat actors have re-established unauthorized access, and performed “unauthorized changes and repository tampering.”
The company noted that, despite this new development, Trivy was not impacted at this time.
An analysis from OpenSourceMalware, a community-driven malware intelligence platform, explains that TeamPCP gained access to the aquasec-com GitHub organization, where Aqua Security hosts its proprietary code, separate from the company’s aquasecurity GitHub organization for public repositories.
Using an automation script, it took the hackers about two minutes to add the prefix tpcp-docs- to all 44 repositories available in the company’s GitHub organization and change all descriptions to read “TeamPCP Owns Aqua Security.”
The researchers have high confidence that the attacker gained access by compromising a service account named Argon-DevOps-Mgt, which had access to both of Aqua Security’s GitHub organizations.
According to OpenSourceMalware, the targeted service account authorized actions based on a Personal Access Token (PAT) of a standard user instead of a GitHub App.
The issue is that PAT authentication functions like a password and is valid for a longer period than the token of a GitHub App. Additionally, a service account is typically used for automated tasks and does not have multi-factor authentication (MFA) protection.
To test that the account had admin permissions for AquaSec’s both public and private GitHub organizations, TeamPCP created a new update-plugin-links-v0.218.2 branch in the public aquasecurity/trivy-plugin-aqua repository, which they then deleted “at the exact same second.”
The researchers believe that hackers obtained the PAT for the Argon-DevOps-Mgt service account using the TeamPCP Cloud stealer, which collects GitHub tokens, SSH keys, cloud credentials, and environment variables from CI runners.
“As a service account that triggers workflows on trivy-plugin-aqua, its token was present in the runner environment,” OpenSourceMalware explains.
OpenSourceMalware has provided a set of indicators of compromise that can help defenders determine if their environments have been impacted by the supply-chain attack.
Aqua Security says that it has no evidence that the Trivy version used in its commercial products has been impacted. “By design, the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.”
However, the company promised to share updates as new details emerge and publish additional findings on Tuesday, at the end of the day.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code
New PhantomRaven NPM attack wave steals dev data via 88 packages
FBI warns of Handala hackers using Telegram in malware attacks