Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

A sophisticated supply chain attack on the popular Trivy vulnerability scanner has escalated into a multi-stage cyber campaign that combines credential theft, worm propagation, and Kubernetes cluster wiping, according to cybersecurity researchers tracking the incident.

Supply Chain Compromise Origins

The attack began when threat actors compromised Aqua Security's Trivy tool, a widely-used open-source vulnerability scanner. The attackers leveraged stolen credentials to push malicious versions 0.69.4, 0.69.5, and 0.69.6 to Docker Hub without corresponding GitHub releases. These trojanized versions contained the TeamPCP infostealer, which harvested credentials from compromised systems.

"New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags," said Philipp Burckhardt, a Socket security researcher. "Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign."

Downstream Impact and Worm Propagation

Following the initial compromise, attackers used stolen credentials to target npm packages, distributing CanisterWorm—a self-propagating malware that spreads through developer environments. The worm's capabilities extend beyond simple propagation, establishing persistent backdoors on compromised systems.

GitHub Organization Defacement

In a brazen escalation, the threat actor tracked as TeamPCP defaced all 44 internal repositories in Aqua Security's "aquasec-com" GitHub organization. The repositories were renamed with a "tpcp-docs-" prefix, descriptions changed to "TeamPCP Owns Aqua Security," and made publicly accessible.

Security researcher Paul McCarty analyzed the GitHub Events API and identified a compromised service account as the attack vector. "This is a service/bot account (GitHub ID 139343333, created 2023-07-12) with a critical property: it bridges both GitHub orgs," McCarty explained. "One compromised token for this account gives the attacker write/admin access to both organizations."

The defacement occurred in a rapid 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026, using a compromised "Argon-DevOps-Mgt" service account.

Kubernetes Wiping Campaign

The attackers have now deployed a new wiper malware that specifically targets Kubernetes clusters in Iran. The malware spreads through SSH using stolen keys and exploits exposed Docker APIs on port 2375 across local subnets.

Charlie Eriksen from Aikido Security detailed the wiper's behavior: "On Kubernetes: deploys privileged DaemonSets across every node, including control plane. Iranian nodes get wiped and force-rebooted via a container named 'kamikaze.' Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non-K8s Iranian hosts get 'rm -rf / --no-preserve-root.'"

The malware uses the same ICP canister linked to CanisterWorm, demonstrating the attackers' growing sophistication in combining multiple attack techniques.

Industry Response and Mitigation

Given the ongoing nature of the attack, organizations are urged to immediately review their use of Trivy in CI/CD pipelines and avoid affected versions. Any recent executions should be treated as potentially compromised.

OpenSourceMalware emphasized the broader implications: "This compromise demonstrates the long tail of supply chain attacks. A credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization."

Threat Actor Evolution

TeamPCP has established itself as a sophisticated threat actor targeting cloud infrastructures. Their capabilities now include systematic exposure of Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers for data theft, ransomware deployment, extortion, and cryptocurrency mining.

The irony of a cloud security company being compromised by a cloud-native threat actor underscores the evolving threat landscape. As attackers increasingly target the security vendor ecosystem itself, organizations must implement robust supply chain security measures and monitor for anomalous behavior across their development and deployment pipelines.

The incident highlights the critical importance of service account security, particularly for accounts that bridge multiple organizations, and demonstrates how a single compromised token can cascade into widespread damage across cloud-native environments.