Newly Compromised Docker Images Linked to Trivy Supply Chain Attack Exposed
In a worrying development concerning cybersecurity, a new set of compromised Docker images has been identified, directly linked to the ongoing Trivy supply chain attack. This incident has significantly broadened its impact across various developer environments and continuous integration/continuous deployment (CI/CD) pipelines, raising alarms among security experts.
On March 19, 2026, an attack by malicious actors targeted Aqua Security’s widely-used Trivy vulnerability scanner, specifically version 0.69.4. The attackers successfully injected credential-stealing malware into official releases and GitHub Actions, alarming the cybersecurity community and triggering widespread concern among developers who rely on this tool.
Security researchers associated with Socket have reported finding additional malicious artifacts that were distributed through the Docker Hub following a confirmed breach involving GitHub Actions. This breach allowed attackers to exploit security vulnerabilities and launch a sophisticated assault on the software supply chain.
On March 22, two new image tags—0.69.5 and 0.69.6—were uploaded to Docker Hub, despite the absence of corresponding releases on GitHub. This inconsistency raised red flags for security teams monitoring the situation. An analysis published the same day by researchers at Socket revealed that both compromised images contained indicators of compromise (IoC) that were consistent with the TeamPCP infostealer, which had been previously documented in the ongoing attack campaign. The 0.69.6 tag, now confirmed to be compromised, adds to the list of concerning developments following the initial breach.
The following day, March 23, Aqua Security updated the public regarding the situation, revealing new findings from their ongoing investigation. The Aqua team identified additional suspicious activities that occurred on March 22, which involved unauthorized changes and repository tampering. They noted, "Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior." This statement aligns with the ongoing concern about the persistence and adaptability of the attackers.
Compromised Versions Examined
Analyzing the versions of Trivy affected by this security incident reveals a troubling picture. Although older versions appear to be unaffected, security teams have cautioned that Docker tags are not immutable, indicating that reliance on these tags for integrity verification is misguided. The breakdown of affected versions, as confirmed so far, includes the following:
- 0.69.3: This is the last known clean release and remains unaffected.
- 0.69.4: The initial compromised release, which has since been removed from availability.
- 0.69.5 and 0.69.6: These later versions have also been identified as compromised images.
The malicious binaries found in these versions not only contained typosquatted command-and-control (C2) domains but also included exfiltration files and references to repositories controlled by the attackers during the campaign. This underlines the dangerous implications of using compromised software.
GitHub Exposure and Expanding Threat Activity
Analyzing the broader implications of this incident, researchers have noted that the compromise extends beyond Docker images and into GitHub. Reports indicate that an internal GitHub organization associated with Aqua Security was briefly exposed during the attack, leading to public visibility of dozens of repositories that were renamed and tampered with.
In the investigation, it is believed that a compromised service account token was exploited, granting unauthorized access to multiple organizations on GitHub. The modification of repositories, executed in a rapid scripted burst lasting approximately two minutes, suggests an automated intrusion, rather than a manual effort. This compromised account had likely been previously exposed during the prior GitHub Actions breach, illustrating the interconnected nature of security vulnerabilities.
The attack has also been linked to a broader range of malicious activities attributed to the TeamPCP threat group. Investigators have noted that this group has expanded its operations beyond mere credential theft to include activities such as worm propagation, ransomware deployment, cryptocurrency mining, and destructive attacks targeting Kubernetes environments.
Recommendations for Organizations
In light of this evolving threat landscape, Socket has issued dire warnings to organizations using Trivy in their CI/CD pipelines. They advise teams to meticulously review recent activity and treat the results of recent scans as potentially compromised. It is imperative for organizations to remain vigilant as they navigate these ongoing challenges.
Despite the severity of the incident, Aqua Security has made it clear that their commercial products, including Trivy as integrated within the Aqua Platform, have not been impacted by this particular breach. However, the revelations about this compromised software and its far-reaching effects underscore the importance of diligence in security practices for any organization handling sensitive data or software development. The cybersecurity community must remain alert as the ramifications of these breaches continue to unfold, and as threat actors evolve their tactics in an increasingly complex digital landscape.