Full Report
The TeamPCP hackers behind the Trivy supply-chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company's GitHub organization to tamper with dozens of repositories. [...]
Analysis Summary
# Incident Report: TeamPCP Aqua Security Supply-Chain Breach
## Executive Summary
Aqua Security suffered a persistent supply-chain attack orchestrated by the threat actor "TeamPCP." The attackers leveraged a compromised service account to push malicious Docker images and hijack the company’s GitHub organization, tampering with 44 repositories. The incident highlights a failure in initial containment, as attackers utilized refreshed tokens from a previous breach to re-establish access and deliver infostealing malware.
## Incident Details
- **Discovery Date:** March 22, 2026
- **Incident Date:** March 2 - March 22, 2026
- **Affected Organization:** Aqua Security
- **Sector:** Cybersecurity / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026
- **Vector:** Compromised GitHub build pipeline for Trivy.
- **Details:** Incomplete containment of a previous incident allowed attackers to intercept refreshed tokens that were not rotated atomically.
### Lateral Movement
- **Details:** Attackers compromised the "Argon-DevOps-Mgt" service account. This account utilized a Personal Access Token (PAT) rather than a GitHub App, granting admin access across both public (*aquasecurity*) and private (*aquasec-com*) GitHub organizations.
### Data Exfiltration/Impact
- **Details:** Malicious Trivy image tags (0.69.5 and 0.69.6) were pushed to Docker Hub. 44 proprietary repositories were renamed with the prefix *tpcp-docs-* and descriptions were changed to "TeamPCP Owns Aqua Security." Infostealing malware (TeamPCP Cloud stealer) was deployed to harvest CI/CD credentials.
### Detection & Response
- **Detection:** Identified by Socket researchers observing image tags on Docker Hub (March 22) and Aqua's internal monitoring of "suspicious activity" in their private GitHub organization.
- **Response:** Engagement of incident response firm Sygnia; publication of safe Trivy versions; rotation of secrets (though initially unsuccessful).
## Attack Methodology
- **Initial Access:** Incomplete secret rotation/Session hijacking.
- **Persistence:** High-privilege Personal Access Token (PAT) for a service account.
- **Privilege Escalation:** Service account (Argon-DevOps-Mgt) held administrative rights over multiple organizations.
- **Defense Evasion:** Use of automated scripts for rapid repository modification; deletion of test branches within the same second of creation.
- **Credential Access:** TeamPCP Cloud stealer used to collect GitHub tokens, SSH keys, and cloud environment variables from CI runners.
- **Discovery:** Automated reconnaissance of GitHub repository structures.
- **Lateral Movement:** Pivot from public repository build pipelines to private proprietary code organizations.
- **Collection:** Harvesting secrets from CI/CD runners.
- **Exfiltration:** Exfiltration of stolen tokens and metadata via the infostealer.
- **Impact:** Supply-chain poisoning (Docker Hub) and repository defacement.
## Impact Assessment
- **Financial:** Costs associated with third-party IR (Sygnia) and remediation labor.
- **Data Breach:** Compromise of proprietary source code repositories; theft of CI/CD secrets and environment variables.
- **Operational:** Disruption of development workflows and necessity to audit all 44 hijacked repositories.
- **Reputational:** High; Trivy is a flagship security tool with 33,800+ stars; trust in official Docker images was compromised.
## Indicators of Compromise
- **Network indicators:** [None specified in text, but infostealer C2 communication is implied].
- **File indicators:** Docker image tags `0.69.5` and `0.69.6`.
- **Behavioral indicators:** GitHub repository renaming with prefix `tpcp-docs-`; unauthorized creation/deletion of `update-plugin-links-v0.218.2` branches.
## Response Actions
- **Containment:** Rotation of all GitHub tokens and secrets.
- **Eradication:** Removal of malicious Docker tags from Docker Hub.
- **Recovery:** Restoring repository names and descriptions; investigating the depth of the proprietary code compromise with Sygnia.
## Lessons Learned
- **Non-Atomic Rotation:** Rotating secrets in a piecemeal fashion allows attackers to "race" the defenders and steal new tokens as they are generated.
- **Service Account Risks:** Using long-lived PATs for service accounts instead of GitHub Apps (which use short-lived tokens and better permission scoping) creates a single point of failure.
- **MFA Gaps:** Service accounts often lack MFA, making them prime targets for token theft.
## Recommendations
- **Transition to GitHub Apps:** Replace PATs with GitHub Apps for all CI/CD integrations to leverage granular permissions and token expiration.
- **Immutable Tags:** Implement internal signing of Docker images (e.g., Cosign/Notary) so users can verify integrity regardless of tag names.
- **Atomic Secret Revocation:** When a breach is suspected, implement a "kill switch" for all sessions and tokens simultaneously rather than rotating them one by one.
- **Runner Hardening:** Use ephemeral, isolated runners for CI/CD to minimize the window for infostealers to harvest environment variables.