Trivy Supply Chain Attack Cascades: Docker, npm Worm, and Kubernetes Wiper
What began as a GitHub Actions tag poisoning campaign has evolved into a multi-vector supply chain incident with a dramatically wider blast radius. Cybersecurity researchers have confirmed that the Trivy supply chain attack by threat actor TeamPCP has spread beyond the trivy-action GitHub Action to include malicious Docker Hub images, a self-propagating npm worm (CanisterWorm), a Kubernetes cluster wiper, and the defacement of 44 Aqua Security GitHub repositories — all executed within a scripted 2-minute burst.
The last known clean release of Trivy on Docker Hub is version 0.69.3. Versions 0.69.4, 0.69.5, and 0.69.6 are confirmed malicious.
Expanded Attack Scope
| Attack Vector | Details |
|---|---|
| GitHub Actions Tags | 75 of 76 trivy-action tags force-pushed with malicious commits |
| Docker Hub Images | Trivy 0.69.4, 0.69.5, 0.69.6 contain infostealer IOCs |
| npm Ecosystem | CanisterWorm deployed via stolen npm publish tokens; self-propagating |
| Kubernetes | Wiper component targets cluster nodes reached via stolen kubeconfigs |
| GitHub Org Defacement | 44 Aqua Security repos defaced in 2 minutes using service account compromise |
| C2 Infrastructure | ICP-hosted fallback C2 serving iteratively updated kamikaze.sh payload |
Docker Hub: Malicious Images Served Without Corresponding Releases
Following the GitHub Actions compromise, TeamPCP pushed three new malicious Trivy images to Docker Hub:
aquasecurity/trivy:0.69.4aquasecurity/trivy:0.69.5aquasecurity/trivy:0.69.6
Critically, these versions were pushed without corresponding GitHub releases, an anomaly that researchers identified as a red flag. Organizations that pull Trivy images by tag in their container scanning pipelines — without validating against known release hashes — may have run the malicious versions.
# Check your currently pulled Trivy version
docker image inspect aquasecurity/trivy --format '{{.RepoTags}}'
# Safe versions: 0.69.3 and earlier (pre-compromise)
# Malicious versions: 0.69.4, 0.69.5, 0.69.6
# Pull only verified safe version
docker pull aquasecurity/trivy:0.69.3The Infostealer: TeamPCP Cloud Stealer
The infostealer payload embedded in Docker images and poisoned GitHub Actions is described by TeamPCP itself as the "TeamPCP Cloud Stealer". Its capabilities include:
Exfiltration Targets
| Category | Specific Targets |
|---|---|
| Memory | Runner.Worker process memory dump |
| SSH | ~/.ssh/id_*, known_hosts, authorized_keys |
| Cloud | AWS credentials file, Azure token cache, GCP service account files |
| Kubernetes | ~/.kube/config, service account tokens from /var/run/secrets/ |
| Docker | ~/.docker/config.json (registry tokens and credentials) |
| Git | .gitconfig, stored credentials, GitHub CLI auth tokens |
| Crypto | Wallet files, seed phrase files, .walletrc configurations |
| Databases | Connection strings from environment variables and config files |
Exfiltration Method
1. Collect all targeted files and environment variables
2. Compress the dataset
3. Encrypt with AES-256 (symmetric key generated per-victim)
4. Encrypt the AES key with TeamPCP's RSA-4096 public key
5. Exfiltrate the encrypted bundle to TeamPCP's C2 server
(with ICP-hosted fallback if primary C2 is unreachable)Only TeamPCP, holding the RSA private key, can decrypt the stolen data.
CanisterWorm: Self-Spreading npm Malware
Using stolen npm publish tokens extracted from compromised CI/CD environments (a cascading effect of the GitHub Actions credential theft), TeamPCP deployed CanisterWorm — a self-propagating worm targeting the npm ecosystem.
CanisterWorm operates by:
- Using stolen publish tokens to push malicious versions of compromised packages
- Each infected package runs a post-install script that searches for additional npm tokens in the environment
- Any discovered tokens are used to spread the worm further to additional packages
- The worm payload includes the TeamPCP Cloud Stealer infostealer
This creates a cascading supply chain compromise: one stolen token can propagate the worm to dozens of packages, each reaching thousands of downstream users and CI/CD pipelines.
Stolen trivy-action CI/CD secrets
→ npm publish tokens extracted
→ CanisterWorm published to npm package ecosystem
→ Post-install scripts run in downstream pipelines
→ Additional secrets harvested
→ Further propagationKubernetes Wiper Component
Secrets stolen from CI/CD environments frequently include Kubernetes configuration files (KUBECONFIG) with broad cluster access. TeamPCP leveraged these to deploy a Kubernetes wiper — a component capable of:
- Deleting deployments, services, and persistent volumes
- Corrupting or deleting ConfigMaps and Secrets
- Terminating running pods across namespaces
- Potentially bricking cluster nodes if kubelet tokens are available
Organizations whose KUBECONFIG credentials were exposed during the attack window should assume this component may have been executed against their clusters.
Aqua Security Repository Defacement
In a coordinated action on March 22, 2026, all 44 targeted Aqua Security GitHub repositories were defaced in a scripted burst between 20:31:07 UTC and 20:32:26 UTC — a total execution time of under 2 minutes.
The attack leveraged a compromised "Argon-DevOps-Mgt" service account, assessed with high confidence by researchers. The defacements appear to have been a deliberate demonstration of access — "proof of ownership" rather than a destructive end goal — consistent with TeamPCP's pattern of theatrical operations to maximize notoriety.
Aqua Security confirmed in a formal update on March 23 that:
- The investigation is "actively focused on validating that all access paths have been identified and fully closed"
- There is no indication that Aqua's commercial products were impacted
- The incident was contained to the organization's GitHub presence
Detection and Response
Indicators of Compromise
Docker Hub images to block or avoid:
aquasecurity/trivy:0.69.4aquasecurity/trivy:0.69.5aquasecurity/trivy:0.69.6
Behavioral indicators:
- Unexpected outbound HTTPS connections from Trivy scan containers/runners
- Processes accessing
~/.kube/configor/var/run/secrets/outside normal kubectl usage - Anomalous npm publish events from CI/CD service accounts
tpcp-docsrepository appearing in your GitHub organization
Immediate Mitigation Steps
# 1. Stop using any Trivy version beyond 0.69.3
# Update your Dockerfiles and CI pipelines:
FROM aquasecurity/trivy:0.69.3
# 2. Pin GitHub Action to pre-compromise SHA (verify with Aqua Security advisory)
# - uses: aquasecurity/trivy-action@<pre-compromise-sha>
# 3. Check for CanisterWorm in npm packages
npm audit
npm ls --all 2>/dev/null | grep -i "trivy\|tpcp\|canisters"
# 4. Rotate all credentials accessible to affected pipelines
# (AWS, Azure, GCP, Kubernetes, Docker, GitHub tokens)
# 5. Check Kubernetes cluster for unexpected changes
kubectl get events --all-namespaces --sort-by='.metadata.creationTimestamp' | tail -100
# 6. Search GitHub org for TeamPCP marker repos
gh repo list YOUR_ORG --limit 500 --json name | grep tpcpKey Takeaways
- The Trivy attack has expanded from GitHub Actions to Docker Hub (versions 0.69.4–0.69.6), npm (CanisterWorm worm), and Kubernetes wiper components
- Last safe Docker Hub version is 0.69.3 — avoid 0.69.4 and later
- CanisterWorm is self-spreading — stolen npm tokens were used to propagate the infostealer across the npm ecosystem
- Kubernetes clusters are at risk — stolen kubeconfigs may have been leveraged to wipe cluster resources
- 44 Aqua Security repos were defaced in under 2 minutes via a compromised DevOps service account
- Aqua's commercial products were not affected — the incident is contained to open-source tooling and GitHub organization presence
- Rotate all credentials, pin to known-safe versions, and assume compromise if Trivy 0.69.4+ ran in your environment
Sources
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper — The Hacker News
- Trivy Supply Chain Attack: GitHub Actions Compromise — Upwind
- 44 Aqua Security Repositories Defaced After Trivy Supply Chain Breach — Security Affairs
- Trivy Compromised by "TeamPCP" — Wiz Blog
- Trivy supply-chain attack spreads to Docker, GitHub repos — BleepingComputer