The recent expansion of a supply chain attack targeting the widely utilized vulnerability scanner, Trivy, has significantly widened its impact. Initially, the attack began with a compromise in GitHub Actions and has now extended to Docker Hub, where three malicious Docker image versions have been discreetly uploaded, potentially affecting developers globally.
The Impact on DevSecOps Teams
Trivy is essential for numerous DevSecOps teams, offering scanning capabilities for container images, file systems, and code repositories to detect known security vulnerabilities. Its seamless integration into CI/CD pipelines poses a risk, as a single compromised version can infiltrate development environments unnoticed, leading to potential data theft without triggering alarms. This widespread trust has made Trivy a prime target for calculated and strategic supply chain attacks.
Details of the Compromise
On March 22, 2026, researchers from Socket.dev discovered additional compromised Trivy artifacts uploaded to Docker Hub, following the earlier breach of the aquasecurity/trivy-action GitHub Actions repository. The compromised image tags, 0.69.5 and 0.69.6, were introduced without corresponding GitHub releases, deviating from standard practices that security teams rely on for authenticity checks.
Both images were found to contain the same TeamPCP infostealer identified in previous phases of the attack. Analyzed binaries showed a typosquatted command-and-control domain, scan.aquasecurtiy.org, along with exfiltration artifacts such as payload.enc and tpcp.tar.gz. Despite the removal of the compromised 0.69.4 tag, versions 0.69.5 and 0.69.6 remain flagged as malicious.
Spreading Through Docker Pipelines
The alarming aspect of this security incident is the potential for widespread infection across the container ecosystem. Docker Hub tags are mutable, allowing a tag like latest to be updated silently, redirecting to a compromised image without user awareness. Organizations using automated CI/CD pipelines that pull the latest Trivy image might inadvertently incorporate a malicious version.
Any pipeline that accessed compromised image versions during the attack could have inadvertently integrated the TeamPCP infostealer, risking the exposure of environment variables, API secrets, tokens, and other sensitive data.
Recommended Actions and Future Outlook
Organizations relying on Trivy must immediately verify which image versions were used during the attack period. Pipelines utilizing tags 0.69.4, 0.69.5, or 0.69.6 should be considered compromised, necessitating a rotation of all accessible secrets, tokens, and credentials. A rollback to version 0.69.3, the last confirmed clean release, is advised. Additionally, relying solely on Docker Hub tag names for integrity checks should be avoided; instead, verifying image digests before deployment is recommended. Monitoring outbound network connections to scan.aquasecurtiy.org can aid in detecting active compromises.
Stay informed by following us on Google News, LinkedIn, and X. Make CSN your preferred source on Google for instant updates.
