Full Report
Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments. The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library. "New image tags 0.69.5 and
Analysis Summary
# Incident Report: TeamPCP Supply Chain Compromise and "CanisterWorm" Distribution
## Executive Summary
A large-scale supply chain attack targeting the popular Trivy vulnerability scanner led to the distribution of malicious container images and GitHub Actions. Attributed to the threat actor "TeamPCP," the incident escalated from credential theft to the defacement of Aqua Security’s internal repositories and the deployment of "CanisterWorm," a wiper/backdoor targeting Kubernetes clusters and container environments.
## Incident Details
- **Discovery Date:** March 22, 2026
- **Incident Date:** March 2026 (Ongoing)
- **Affected Organization:** Aqua Security (Trivy maintained by Aqua Security)
- **Sector:** Technology / Cybersecurity / DevOps
- **Geography:** Global (with specific wiper targeting in Iran)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-March 2026
- **Vector:** Compromised service account credentials.
- **Details:** Attackers gained access to high-privileged credentials for the "Argon-DevOps-Mgt" service account, likely harvested from a prior compromise of Trivy GitHub Actions.
### Lateral Movement
- Use of a single bot account (GitHub ID 139343333) that bridged multiple GitHub organizations, providing write/admin access to both public and internal repositories.
### Data Exfiltration/Impact
- **March 22, 20:31 UTC:** Scripted attack defaced 44 internal repositories in the "aquasec-com" organization within two minutes.
- Malicious Docker images (0.69.4 - 0.69.6) were pushed to Docker Hub containing infostealers.
### Detection & Response
- **Detection:** Identified by security researchers (Socket, OpenSourceMalware, Aikido) noting image tags pushed without corresponding GitHub releases.
- **Response:** Removal of malicious tags from Docker Hub; forensic analysis of GitHub Events API.
## Attack Methodology
- **Initial Access:** Compromised "Argon-DevOps-Mgt" service account token.
- **Persistence:** Implementation of "CanisterWorm" as a systemd service on non-K8s hosts; deployment of privileged DaemonSets on K8s.
- **Privilege Escalation:** Use of admin-level service account tokens bridging organizational environments.
- **Defense Evasion:** Use of legitimate CI/CD infrastructure (Docker Hub, GitHub Actions) to distribute malware.
- **Credential Access:** TeamPCP infostealer used to harvest further developer credentials.
- **Discovery:** Scanning for exposed Docker APIs (Port 2375) and SSH keys.
- **Lateral Movement:** Propagation via SSH using stolen keys across local subnets.
- **Impact:** Defacement of repositories; "kamikaze" wiper malware targeting Iranian infrastructure; "rm -rf /" executed on targeted hosts.
## Impact Assessment
- **Financial:** Undisclosed; high potential for remediation costs across the user base.
- **Data Breach:** Compromise of internal GitHub repositories and potential theft of developer secrets.
- **Operational:** Disruption of CI/CD pipelines; destruction of Kubernetes clusters in specific regions.
- **Reputational:** Significant impact on the perceived integrity of widely used open-source security tools.
## Indicators of Compromise
- **File indicators:** Trivy Docker image versions `0.69.4`, `0.69.5`, `0.69.6`.
- **Behavioral indicators:** GitHub repository renaming prefix `tpcp-docs-`; unauthorized shell scripts executing `rm -rf / --no-preserve-root`; unexpected privileged DaemonSets in K8s.
- **Network indicators:** Traffic to Docker API port `2375[.]`; connections to ICP canisters associated with CanisterWorm.
## Response Actions
- **Containment:** Malicious images removed from Docker Hub.
- **Eradication:** Revocation of the compromised "Argon-DevOps-Mgt" service account.
- **Recovery:** Ongoing efforts to restore defaced repositories and advise the community on clean versions (0.69.3).
## Lessons Learned
- **Credential Lifecycle:** A "long tail" effect exists where credentials stolen months ago were weaponized only recently.
- **Service Account Risk:** Service accounts bridging multiple organizational boundaries create a single point of failure.
- **Supply Chain Trust:** Relying on Docker tags without verifying corresponding GitHub releases/tags remains a significant risk.
## Recommendations
- **Version Pinning:** Pin Trivy versions to the last known clean release (`0.69.3`) and use SHA256 hashes rather than tags.
- **Secret Rotation:** Immediately rotate any secrets or tokens that have been exposed to affected versions of Trivy or related GitHub Actions.
- **Audit Logs:** Review GitHub Events API logs for any unauthorized repository modifications or service account activity.
- **Network Hardening:** Ensure Docker API port 2375 is not exposed and implement strict egress filtering for CI/CD runners.