Trivy Supply Chain Attack Expands as Compromised Docker Images Hit Docker Hub

A supply chain attack targeting Trivy, the widely used open-source vulnerability scanner, has grown well beyond its initial scope.

What started as a GitHub Actions compromise has now extended to Docker Hub, where three malicious Docker image versions were silently published and made publicly available to developers worldwide.

Trivy is trusted by thousands of DevSecOps teams to scan container images, file systems, and code repositories for known security vulnerabilities.

Its deep integration into CI/CD pipelines means a single compromised version can quietly slip into development environments and steal sensitive data without raising obvious alerts.

This level of trust across the developer community made it an attractive target for a well-organized and patient supply chain attack.

Socket.dev researchers identified additional compromised Trivy artifacts published to Docker Hub on March 22, 2026, following the earlier breach of the aquasecurity/trivy-action GitHub Actions repository.

The newly flagged image tags — 0.69.5 and 0.69.6 — were pushed to the registry without any corresponding GitHub releases or official version tags, a departure from standard release practices that security teams rely on for verification.

Both images carry indicators of compromise tied to the same TeamPCP infostealer seen in earlier phases of this campaign.

Binary analysis confirmed the presence of a typosquatted command-and-control domain, scan.aquasecurtiy.org, alongside exfiltration artifacts payload.enc and tpcp.tar.gz, and references to the fallback tpcp-docs GitHub repository used for payload delivery.

Image tag 0.69.4, the first known compromised release, has since been removed from Docker Hub, but 0.69.5 and 0.69.6 remain on record as newly confirmed malicious builds. Version 0.69.3 is the last confirmed clean release.

Security researcher Paul McCarty also noted that the Aqua Security GitHub organization appeared to have been briefly exposed during the attack, suggesting that internal repository access may have been temporarily made public.

While the exact scope of that exposure remains unclear, it points to a considerable level of access the attackers managed to gain.

How the Malware Spreads Through Docker Pipelines

The most alarming aspect of this incident is not just the compromised images themselves — it is how broadly the infection could spread through the container ecosystem without immediate detection.

Docker Hub tags are not immutable. A tag like latest can be silently updated to point to a different image without any visible warning to the end user pulling it.

When organizations configure their CI/CD pipelines to automatically pull the latest Trivy image for vulnerability scanning duties, they may unknowingly pull a malicious version instead.

Any pipeline that ran against affected image versions during the attack window could have incorporated the TeamPCP infostealer into its workflow, quietly exfiltrating environment variables, API secrets, tokens, or other build artifacts stored within the pipeline context.

A search for “trivy” on Docker Hub returns thousands of results, including official builds, CI/CD-integrated versions, and third-party derivatives.

Those images are not inherently compromised, but any that automatically rebuilt or pulled from affected Trivy versions during the attack period could have incorporated malicious binaries, extending this campaign’s reach well beyond the official images.

One open source maintainer who depends on Trivy and asked to remain anonymous told Socket.dev researchers they responded by revoking all access tokens and adopting trusted publishing practices.

Organizations using Trivy in build pipelines should immediately audit which image versions were pulled during the attack period. Any pipeline that used tags 0.69.4, 0.69.5, or 0.69.6 should be treated as potentially compromised.

Teams must rotate all secrets, tokens, and credentials accessible from those pipelines. Rolling back to version 0.69.3, the last confirmed clean release, is strongly advised.

Organizations should also stop relying on Docker Hub tag names alone for integrity and instead verify image digests before each deployment. Monitoring outbound network traffic for connections to scan.aquasecurtiy.org can help identify an active compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.