Trivy Supply Chain Attack Expands to Compromised Docker Images

socket.dev · feross · 10 days ago · view on HN · threat
0 net
Tags
docker malware microsoft node supply-chain
Trivy Supply Chain Attack Expands to Compromised Docker Imag... You're Invited: Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26 . RSVP → Blog Security News Research Trivy Supply Chain Attack Expands to Compromised Docker Images Newly published Trivy Docker images (0.69.4, 0.69.5, and 0.69.6) were found to contain infostealer IOCs and were pushed to Docker Hub without corresponding GitHub releases. Philipp Burckhardt March 22, 2026 Socket's threat research team has identified additional compromised Trivy artifacts published to Docker Hub, following the recently disclosed GitHub Actions compromise affecting the aquasecurity/trivy-action repository . New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign. The latest tag currently points to 0.69.6 , which is also compromised. Analysis of the binaries confirms the presence of known IOCs, including the typosquatted C2 domain scan.aquasecurtiy.org , exfiltration artifacts ( payload.enc , tpcp.tar.gz ), and references to the fallback tpcp-docs GitHub repository. As part of the broader incident, security researcher Paul McCarty noted that the Aqua Security GitHub organization appeared to have been exposed, suggesting that internal repository access may have been temporarily made public during the attack. While the full scope of this exposure remains unclear, it further indicates the level of access obtained by the attacker. At this time: 0.69.3 remains the last known clean release 0.69.4 was the initial compromised release (since removed) 0.69.5 and 0.69.6 are newly identified compromised Docker images Based on registry timelines, we do not have evidence that older Docker images or binaries (≤0.69.3) were modified after publication. However, Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity. A search for “trivy” on Docker Hub returns thousands of images, including official builds, CI/CD integrations, and third-party derivatives. These images are not inherently compromised, but those that automatically pulled or rebuilt against affected Trivy versions during the attack windows may have incorporated malicious binaries, expanding the potential impact beyond the official images. Organizations are already taking precautionary steps in response to the incident. A maintainer of multiple widely used open source tools that depend on Trivy, who asked to remain anonymous, told us they have revoked all tokens and adopted trusted publishing practices. Organizations should review their use of Trivy in CI/CD pipelines, avoid affected versions, and treat any recent executions as potentially compromised. You can track affected artifacts and ongoing activity in our campaign pages for the Trivy GitHub Actions compromise and the related Canisterworm campaign . Subscribe to our newsletter Get notified when we publish new security blog posts! Enter your email Subscribe Try it now Ready to block malicious and vulnerable dependencies? Install GitHub App Book a Demo Questions? Call us at (844) SOCKET-0 Related posts Back to all posts Research / Security News CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29+ Packages The worm-enabled campaign hit @emilgroup and @teale.io, then used an ICP canister to deliver follow-on payloads. By Socket Research Team - Mar 20, 2026 Research / Security News Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines. By Philipp Burckhardt - Mar 20, 2026 Security News ENISA Publishes Technical Advisory on Secure Use of Package Managers ENISA’s new package manager advisory outlines the dependency security practices companies will need to demonstrate as the EU’s Cyber Resilience Act begins enforcing software supply chain requirements. By Sarah Gooding - Mar 19, 2026
← Back to stories