Trivy Hack Spreads Infostealer with Docker, Triggers Worm and Kubernetes Wiper
Cybersecurity researchers have discovered malicious artifacts distributed through Docker Hub following the Trivy supply chain attack, highlighting an expanding blast radius across developer environments.
The last known clean release of Trivy on Docker Hub is 0.69.3. Malicious versions 0.69.4, 0.69.5, and 0.69.6 have been removed from the container image library.
“The new image tags 0.69.5 and 0.69.6 were pushed on March 22 without a corresponding GitHub release or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer seen in the earlier stages of this campaign,” said Socket security researcher Philipp Burckhardt.
This development comes after the supply chain influence of Trivy, a popular open source scanner maintained by Aqua Security, which allows threat actors to use encrypted evidence to push the credential thief between Trojanized versions of the tool and two related GitHub Actions “aquasecurity/trivy-upaction” and “trivy-upaction”
This attack had the following effect, where the attackers used the stolen data to compromise a number of npm packages to distribute a self-reproducing worm known as CanisterWorm. The incident is believed to be the work of a threat actor being tracked as TeamPCP.
According to the OpenSourceMalware team, the attackers hijacked all 44 internal repositories related to Aqua Security’s “aquasec-com” GitHub organization by renaming each of them with the prefix “tpcp-docs-“, set all descriptions to “TeamPCP Owns Aqua Security,” and made them public.
All repositories are said to have been modified in a 2-minute written burst between 20:31:07 UTC and 20:32:26 UTC on 22 March 2026. It has been verified with high confidence that the threat actor used the vulnerable “Argon-DevOps-Mgt account”.
“Our forensic analysis of the GitHub Events API points to a compromised service account token — possibly stolen during TeamPCP’s Trivy GitHub Actions compromise — as the attack vector,” said security researcher Paul McCarty. “This is a service/bot account (GitHub ID 139343333, created 2023-07-12) with an important feature: it covers both GitHub domains.”
“A single vulnerable token for this account gives an attacker script/control access to both entities,” McCarty added.
The development is the latest escalation from a threat actor that has built a reputation for targeting cloud infrastructures, while building capabilities to systematically expose Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal data, deliver ransomware, extort, and mine cryptocurrency.
Their growing sophistication is best demonstrated by the emergence of a new wiper malware that is distributed via SSH with stolen keys and exploits Docker APIs exposed on port 2375 on the local subnet.
A new payload for TeamPCP was found to have stolen credentials to wipe all Kubernetes clusters (K8s) located in Iran. The shell script uses the same ICP canister connected to CanisterWorm and checks to identify Iranian programs.
“In Kubernetes: it uses special DaemonSets in all areas, including the control plane,” said Aikido security researcher Charlie Eriksen. “Iranian nodes are wiped and restarted with a container called ‘kamikaze.’ Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Iranian hosts that are not K8s get ‘rm -rf / –no-preserve-root.'”
Given the ongoing nature of the attack, it is important that organizations review their use of Trivy in their CI/CD pipelines, avoid using affected versions, and treat any recent executions as potentially vulnerable.
“This compromise reflects the long tail of supply chain attacks,” OpenSourceMalware said. “Information harvested during the Trivy GitHub Actions compromise months ago was leveraged today to compromise the entire GitHub internal organization. The Argon-DevOps-Mgt service account – a single bot account connecting two orgs with a long-lived PAT – was the weak link.”
“From cloud exploits to supply chain worms to Kubernetes wipers, they power and direct the security vendor’s own ecosystem. The paradox of a cloud security company being disrupted by a threat actor from the cloud should not be lost on the industry.
