Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Ravie LakshmananMar 23, 2026Cloud Security / DevOps

Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments.

The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library.

“New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign,” Socket security researcher Philipp Burckhardt said.

The development comes in the wake a supply chain compromise of Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, allowing the threat actors to leverage a compromised credential to push a credential stealer within trojanized versions of the tool and two related GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy.”

The attack has had downstream impacts, with the attackers leveraging the stolen data to compromise dozens of npm packages to distribute a self-propagating worm known as CanisterWorm. The incident is believed to be the work of a threat actor tracked as TeamPCP.

According to the OpenSourceMalware team, the attackers have defaced all 44 internal repositories associated with Aqua Security’s “aquasec-com” GitHub organization by renaming each of them with a “tpcp-docs-” prefix, setting all descriptions to “TeamPCP Owns Aqua Security,” and exposing them publicly.

All the repositories are said to have been modified in a scripted 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. It’s been assessed with high confidence that the threat actor leveraged a compromised “Argon-DevOps-Mgt” service account for this purpose.

“Our forensic analysis of the GitHub Events API points to a compromised service account token — likely stolen during TeamPCP’s prior Trivy GitHub Actions compromise — as the attack vector,” security researcher Paul McCarty said. “This is a service/bot account (GitHub ID 139343333, created 2023-07-12) with a critical property: it bridges both GitHub orgs.”

“One compromised token for this account gives the attacker write/admin access to both organizations,” McCarty added.

The development is the latest escalation from a threat actor that’s has built a reputation for targeting cloud infrastructures, while progressively building capabilities to systemically exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal data, deploy ransomware, conduct extortion, and mine cryptocurrency.

Their growing sophistication is best exemplified by the emergence of a new wiper malware that spreads through SSH via stolen keys and exploits exposed Docker APIs on port 2375 across the local subnet.

A new payload attributed to TeamPCP has been found to go beyond credential theft to wiping entire Kubernetes (K8s) clusters located in Iran. The shell script uses the same ICP canister linked to CanisterWorm and then runs checks to identify Iranian systems.

“On Kubernetes: deploys privileged DaemonSets across every node, including control plane,” Aikido security researcher Charlie Eriksen said. “Iranian nodes get wiped and force-rebooted via a container named ‘kamikaze.’ Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non-K8s Iranian hosts get ‘rm -rf / –no-preserve-root.'”

Given the ongoing nature of the attack, it’s imperative that organizations review their use of Trivy in CI/CD pipelines, avoid using affected versions, and treat any recent executions as potentially compromised.

“This compromise demonstrates the long tail of supply chain attacks,” OpenSourceMalware said. “A credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization. The Argon-DevOps-Mgt service account — a single bot account bridging two orgs with a long-lived PAT — was the weak link.”

“From cloud exploitation to supply chain worms to Kubernetes wipers, they are building capability and targeting the security vendor ecosystem itself. The irony of a cloud security company being compromised by a cloud-native threat actor should not be lost on the industry.