Cybersecurity experts have identified harmful artifacts distributed through Docker Hub, following a significant attack on Trivy, an open-source vulnerability scanner. This incident underscores the growing security threats in developer ecosystems.
Trivy’s Compromise and Its Implications
The last uncontaminated version of Trivy available on Docker Hub was 0.69.3. Subsequent malicious versions, 0.69.4 to 0.69.6, have been eliminated from the platform. These versions were uploaded without corresponding GitHub releases, indicating a breach. Security researcher Philipp Burckhardt noted that the compromised releases bore signs of the TeamPCP infostealer, previously detected in similar operations.
This breach is a consequence of a supply chain attack on Trivy, allowing attackers to exploit a compromised credential to introduce a credential-stealing trojan into the software. Additionally, two affiliated GitHub Actions, “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” were targeted.
Further Repercussions and Worm Propagation
The attackers leveraged the stolen data to infiltrate numerous npm packages, deploying a self-replicating worm named CanisterWorm. This campaign is attributed to the threat group identified as TeamPCP. The OpenSourceMalware team reported that all 44 internal repositories of Aqua Security’s GitHub organization were compromised, each rebranded with a “tpcp-docs-” prefix and publicly exposed.
The repositories were altered en masse within a two-minute window on March 22, 2026, using a compromised “Argon-DevOps-Mgt” account. This account’s token, previously compromised, was instrumental in the attack, granting write access to both GitHub organizations involved.
Escalation and Broader Threats
TeamPCP continues to evolve its methods, now targeting cloud infrastructures with advanced capabilities. Their latest move involves deploying a novel wiper malware, spreading through SSH using stolen keys and exploiting exposed Docker APIs.
In a new escalation, TeamPCP has developed a payload targeting Kubernetes clusters, particularly in Iran. This wiper wipes Iranian nodes via a container named ‘kamikaze,’ while non-Iranian nodes are backdoored with CanisterWorm. Non-K8s Iranian systems face complete data destruction.
Preventive Measures and Industry Impact
Organizations must scrutinize their usage of Trivy, steering clear of the affected versions, and consider recent operations as potentially compromised. OpenSourceMalware emphasizes the long-lasting effects of supply chain attacks, highlighting the need for vigilance.
This incident highlights a critical irony: a cloud security firm falling victim to a cloud-native adversary. The ongoing attack serves as a stark reminder of the vulnerabilities within the security vendor ecosystem and the necessity for rigorous protective measures.
