The TeamPCP hackers behind the Trivy supply-chain assault continued to focus on Aqua Safety, pushing malicious Docker pictures and hijacking the corporate’s GitHub group to tamper with dozens of repositories.
This follows the menace actor compromising the GitHub construct pipeline for Trivy, Aqua Safety’s scanner, to ship infostealing malware in a supply-chain assault that prolonged to Docker Hub over the weekend.
Trivy has greater than 33,800 stars on GitHub and is broadly used for detecting vulnerabilities, misconfigurations, and uncovered secrets and techniques throughout software program artifacts and infrastructure.
Provide-chain safety firm Socket says in a report on Sunday that it recognized compromised Trivy artifacts revealed to Docker Hub.
“New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags,” Socket researchers say. In line with their evaluation, the 2 pictures comprise indicators of compromise associated to the infostealer that TeamPCP pushed after getting access to Aqua Safety’s GitHub group.
The researchers be aware that the final identified Trivy launch is 0.69.3 and warn that even when they didn’t see any proof of older pictures or binaries being modified after publication, “Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity.”
Breaching AquaSec’s GitHub
On March 20, Aqua Safety stated that the menace actor gained entry to the corporate’s GitHub group as a result of incomplete containment of a earlier incident focusing on the identical software at first of the month.
“We rotated secrets and tokens, but the process wasn’t atomic and attackers may have been privy to refreshed tokens,” Aqua Safety
This allowed the attacker to inject into Trivy credential-harvesting code (TeamPCP Cloud stealer) and publish malicious variations of the software.
Aqua responded to this incident by publishing new, protected variations of Trivy on March 20 and fascinating the incident response agency Sygnia to help them with remediation and forensic investigation.
Nonetheless, through an replace revealed in the present day, Aqua famous that it recognized further suspicious exercise on March 22, indicating that the identical menace actors have re-established unauthorized entry, and carried out “unauthorized changes and repository tampering.”
The corporate famous that, regardless of this new improvement, Trivy was not impacted right now.
An evaluation from OpenSourceMalware, a community-driven malware intelligence platform, explains that TeamPCP gained entry to the aquasec-com GitHub group, the place Aqua Safety hosts its proprietary code, separate from the corporate’s aquasecurity GitHub group for public repositories.
Utilizing an automation script, it took the hackers about two minutes so as to add the prefix tpcp-docs- to all 44 repositories obtainable within the firm’s GitHub group and alter all descriptions to learn “TeamPCP Owns Aqua Security.”
The researchers have excessive confidence that the attacker gained entry by compromising a service account named Argon-DevOps-Mgt, which had entry to each of Aqua Safety’s GitHub organizations.
In line with OpenSourceMalware, the focused service account approved actions primarily based on a Private Entry Token (PAT) of a regular consumer as a substitute of a GitHub App.
The difficulty is that PAT authentication features like a password and is legitimate for an extended interval than the token of a GitHub App. Moreover, a service account is often used for automated duties and doesn’t have multi-factor authentication (MFA) safety.
To check that the account had admin permissions for AquaSec’s each private and non-private GitHub organizations, TeamPCP created a brand new update-plugin-links-v0.218.2 department within the public aquasecurity/trivy-plugin-aqua repository, which they then deleted “at the exact same second.”
The researchers imagine that hackers obtained the PAT for the Argon-DevOps-Mgt service account utilizing the TeamPCP Cloud stealer, which collects GitHub tokens, SSH keys, cloud credentials, and setting variables from CI runners.
“As a service account that triggers workflows on trivy-plugin-aqua, its token was present in the runner environment,” OpenSourceMalware explains.
OpenSourceMalware has supplied a set of indicators of compromise that may assist defenders decide if their environments have been impacted by the supply-chain assault.
Aqua Safety says that it has no proof that the Trivy model utilized in its industrial merchandise has been impacted. “By design, the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.”
Nonetheless, the corporate promised to share updates as new particulars emerge and publish further findings on Tuesday, on the finish of the day.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
