[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-trivy-docker-images-fresh-supply-chain-attack-en":3,"tags-trivy-docker-images-fresh-supply-chain-attack-en":30,"related-lang-trivy-docker-images-fresh-supply-chain-attack-en":41,"related-posts-trivy-docker-images-fresh-supply-chain-attack-en":45,"series-industry-5a5a96eb-ef53-46ce-9ad4-b5158fd0d799":82},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"5a5a96eb-ef53-46ce-9ad4-b5158fd0d799","Trivy Docker Images Hit by Fresh Supply Chain Attack","\u003Cp>The Trivy incident just got bigger. After the initial compromise of version 0.69.4, researchers at \u003Ca href=\"https:\u002F\u002Fsocket.dev\" target=\"_blank\" rel=\"noopener\">Socket\u003C\u002Fa> found that Docker images tagged 0.69.5 and 0.69.6 were also tainted, with 0.69.6 still pointing to a malicious image at the time of reporting.\u003C\u002Fp>\u003Cp>That matters because \u003Ca href=\"https:\u002F\u002Ftrivy.dev\" target=\"_blank\" rel=\"noopener\">Trivy\u003C\u002Fa> is a scanner many teams drop straight into CI\u002FCD pipelines to check containers, code, and dependencies. If the scanner itself is compromised, the trust chain breaks in a place developers usually treat as safe.\u003C\u002Fp>\u003Cp>The new findings turn this from a single bad release into a wider supply chain incident. The attack now touches Docker Hub, GitHub Actions, and the release process around one of the most widely used open-source security tools in container workflows.\u003C\u002Fp>\u003Ch2>What changed after the first Trivy compromise\u003C\u002Fh2>\u003Cp>On March 19, 2026, attackers compromised Trivy 0.69.4 and injected credential-stealing malware into official releases and GitHub Actions. By March 22, researchers had identified two more malicious Docker image tags, 0.69.5 and 0.69.6, uploaded without matching GitHub releases.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200021787-7rb1.png\" alt=\"Trivy Docker Images Hit by Fresh Supply Chain Attack\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>That detail is important. A normal release flow leaves a paper trail: source tag, build, artifact, and published image. Here, the image tags appeared without the usual release process, which is exactly the kind of mismatch defenders should watch for in build pipelines.\u003C\u002Fp>\u003Cp>Socket’s analysis said the new images carried indicators linked to the TeamPCP infostealer seen in the earlier part of the campaign. Aqua Security later confirmed it had found additional suspicious activity on March 22, including unauthorized changes and repository tampering.\u003C\u002Fp>\u003Cul>\u003Cli>0.69.3 is the last known clean Trivy release\u003C\u002Fli>\u003Cli>0.69.4 was the first compromised version and has been removed\u003C\u002Fli>\u003Cli>0.69.5 and 0.69.6 were later found compromised in Docker Hub\u003C\u002Fli>\u003Cli>The latest tag at the time pointed to 0.69.6\u003C\u002Fli>\u003Cli>Researchers found typosquatted C2 domains and exfiltration artifacts in the malicious binaries\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Why CI\u002FCD pipelines are the real target\u003C\u002Fh2>\u003Cp>This kind of attack works because developers trust the scanner as much as they trust the code it scans. When a tool like Trivy runs inside CI\u002FCD, it often has access to source repositories, build logs, cloud credentials, and environment variables. A compromised scanner can quietly collect those secrets while looking like a routine security job.\u003C\u002Fp>\u003Cp>Aqua Security said the activity matched the attacker’s earlier behavior. That phrasing fits the pattern: initial access through one channel, then reuse of tokens and automation to spread across related systems. In this case, the attackers moved from GitHub Actions into Docker distribution and then into internal repository exposure.\u003C\u002Fp>\u003Cp>For teams that pin only a tag like \u003Ccode>trivy:latest\u003C\u002Fcode> or even a version tag without digest verification, that is a problem. Docker tags can be reassigned, and this incident is a clean example of why a tag is a pointer, not proof.\u003C\u002Fp>\u003Cblockquote>“Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior,” Aqua Security said in its March 23 update.\u003C\u002Fblockquote>\u003Cp>That quote matters because it signals continuity, not a random one-off breach. The attacker reused the same operational style across multiple stages, which usually means defenders should expect more than one infected artifact before the campaign burns out.\u003C\u002Fp>\u003Ch2>The GitHub exposure made the blast radius wider\u003C\u002Fh2>\u003Cp>The attack did not stop at Docker images. Researchers reported that an internal GitHub organization tied to Aqua Security was briefly exposed, with dozens of repositories renamed and made public during the incident. Investigators believe a compromised service account token had access to multiple GitHub organizations.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200012148-i5n5.png\" alt=\"Trivy Docker Images Hit by Fresh Supply Chain Attack\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The speed of the change is telling. The repository modifications reportedly happened in a scripted burst lasting about two minutes, which points to automation rather than a human clicking through pages one by one. That kind of burst usually means the attacker already had a playbook and a token with broad reach.\u003C\u002Fp>\u003Cp>There is also a broader threat angle here. The campaign has been linked to \u003Ca href=\"https:\u002F\u002Fsocket.dev\u002Fblog\u002Fteampcp-supply-chain-campaign\" target=\"_blank\" rel=\"noopener\">TeamPCP\u003C\u002Fa>, a group researchers say has moved beyond pure credential theft into worm propagation, ransomware deployment, cryptocurrency mining, and destructive activity against Kubernetes environments.\u003C\u002Fp>\u003Cul>\u003Cli>Dozens of repositories were reportedly renamed and made public\u003C\u002Fli>\u003Cli>The exposure lasted roughly two minutes\u003C\u002Fli>\u003Cli>A service account token may have reached multiple GitHub organizations\u003C\u002Fli>\u003Cli>TeamPCP has been tied to credential theft, ransomware, mining, and destructive Kubernetes attacks\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>How this compares with other supply chain incidents\u003C\u002Fh2>\u003Cp>The Trivy case fits a pattern we have seen in other open-source compromises: one entry point, then rapid reuse across package registries, build systems, and developer tooling. The difference here is the tool itself is a security scanner, which raises the stakes for every pipeline that treats scan output as trustworthy by default.\u003C\u002Fp>\u003Cp>We can compare the blast radius with a few recent supply chain events. The \u003Ca href=\"https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fdocker-hub-breach-exposes-190k-users\u002F\" target=\"_blank\" rel=\"noopener\">2019 Docker Hub breach\u003C\u002Fa> exposed about 190,000 users. The more recent Trivy incident did not expose that many accounts, but it reached into a more sensitive part of software delivery: the security checks that gate releases.\u003C\u002Fp>\u003Cp>That makes verification more important than version numbers. Teams should compare what they pull against what was actually released, and they should prefer immutable digests over mutable tags whenever possible.\u003C\u002Fp>\u003Cul>\u003Cli>Docker Hub tags can be changed after publication\u003C\u002Fli>\u003Cli>GitHub Actions can be abused to inject malicious build output\u003C\u002Fli>\u003Cli>Scanner tools can become attack vehicles inside CI\u002FCD\u003C\u002Fli>\u003Cli>Digest pinning gives stronger integrity checks than version tags alone\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Aqua Security said there is no indication its commercial products were impacted, including Trivy as delivered within the Aqua Platform. That narrows the confirmed damage, but it does not reduce the need for review if your pipelines pulled the affected open-source images directly.\u003C\u002Fp>\u003Ch2>What teams should do now\u003C\u002Fh2>\u003Cp>If your builds used Trivy recently, check whether your pipelines pulled 0.69.4, 0.69.5, or 0.69.6 from Docker Hub. Review scan jobs for odd outbound traffic, unknown environment variable access, unexpected repository changes, and any authentication activity tied to the scanner container.\u003C\u002Fp>\u003Cp>Then lock down the basics. Pin images by digest, not by tag. Rotate any credentials that may have been available to CI jobs. Audit GitHub Actions permissions and service account tokens. If you depend on security tools inside automation, treat them like production software, because attackers do.\u003C\u002Fp>\u003Cp>The practical prediction here is simple: more supply chain attacks will aim at the tools developers trust most, especially scanners, package managers, and CI helpers. The next incident will probably look less like a loud breach and more like a normal build job that quietly shipped a bad binary.\u003C\u002Fp>\u003Cp>If your pipeline still trusts mutable tags, this is the week to fix that. The question is not whether another scanner will be targeted, but which one gets hit next.\u003C\u002Fp>","Compromised Trivy Docker tags 0.69.5 and 0.69.6 spread TeamPCP malware into CI\u002FCD scans after a GitHub Actions breach.","www.infosecurity-magazine.com","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Ftrivy-supply-chain-attack-expands\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775200021787-7rb1.png",[13,14,15,16,17],"Trivy","Docker Hub","supply chain attack","GitHub Actions","TeamPCP","en",1,false,"2026-04-03T07:06:34.083167+00:00","2026-04-03T07:06:34.054+00:00","done","b37958d9-8b95-47b9-af48-90992efa8d58","trivy-docker-images-fresh-supply-chain-attack-en","industry","991499d1-f367-4854-8dd2-029e5532819c","published","2026-04-07T07:41:09.826+00:00",[31,33,35,37,39],{"name":13,"slug":32},"trivy",{"name":17,"slug":34},"teampcp",{"name":15,"slug":36},"supply-chain-attack",{"name":16,"slug":38},"github-actions",{"name":14,"slug":40},"docker-hub",{"id":27,"slug":42,"title":43,"language":44},"trivy-docker-images-fresh-supply-chain-attack-zh","Trivy Docker 映像遭供應鏈攻擊","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":26},"6ff3920d-c8ea-4cf3-8543-9cf9efc3fe36","circles-agent-stack-targets-machine-speed-payments-en","Circle’s Agent Stack targets machine-speed payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871659638-hur1.png","2026-05-15T19:00:44.756112+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":26},"1270e2f4-6f3b-4772-9075-87c54b07a8d1","iren-signs-nvidia-ai-infrastructure-pact-en","IREN signs Nvidia AI infrastructure pact","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871059665-3vhi.png","2026-05-15T18:50:38.162691+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":26},"b308c85e-ee9c-4de6-b702-dfad6d8da36f","circle-agent-stack-ai-payments-en","Circle launches Agent Stack for AI payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870450891-zv1j.png","2026-05-15T18:40:31.462625+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":26},"f7028083-46ba-493b-a3db-dd6616a8c21f","why-nebius-ai-pivot-is-more-real-than-hype-en","Why Nebius’s AI Pivot Is More Real Than Hype","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823055711-tbfv.png","2026-05-15T05:30:26.829489+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":26},"b63692ed-db6a-4dbd-b771-e1babdc94af7","nvidia-backs-corning-factories-with-billions-en","Nvidia backs Corning factories with billions","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822444685-tvx6.png","2026-05-15T05:20:28.914908+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":26},"26ab4480-2476-4ec7-b43a-5d46def6487e","why-anthropic-gates-foundation-ai-public-goods-en","Why Anthropic and the Gates Foundation should fund AI public goods","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796645685-wbw0.png","2026-05-14T22:10:22.60302+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"d35a1bd9-e709-412e-a2df-392df1dc572a","ai-impact-2026-developments-market-en","AI's Impact in 2026: Key Developments and Market Shifts","2026-03-25T16:20:33.205823+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"5ed27921-5fd6-492e-8c59-78393bf37710","trumps-ai-legislative-framework-en","Trump's AI Legislative Framework: What's Inside?","2026-03-25T16:22:20.005325+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"e454a642-f03c-4794-b185-5f651aebbaca","nvidia-gtc-2026-key-highlights-innovations-en","NVIDIA GTC 2026: Key Highlights and Innovations","2026-03-25T16:22:47.882615+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"0ebb5b16-774a-4922-945d-5f2ce1df5a6d","claude-usage-diversifies-learning-curves-en","Claude Usage Diversifies, Learning Curves Emerge","2026-03-25T16:25:50.770376+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"69934e86-2fc5-4280-8223-7b917a48ace8","openclaw-ai-commoditization-concerns-en","OpenClaw's Rise Raises Concerns of AI Model Commoditization","2026-03-25T16:26:30.582047+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"b4b2575b-2ac8-46b2-b90e-ab1d7c060797","google-gemini-ai-rollout-2026-en","Google's Gemini AI Rollout Extended to 2026","2026-03-25T16:28:14.808842+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"6e18bc65-42ae-4ad0-b564-67d7f66b979e","meta-llama4-fabricated-results-scandal-en","Meta's Llama 4 Scandal: Fabricated AI Test Results Unveiled","2026-03-25T16:29:15.482836+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"bf888e9d-08be-4f47-996c-7b24b5ab3500","accenture-mistral-ai-deployment-en","Accenture and Mistral AI Team Up for AI Deployment","2026-03-25T16:31:01.894655+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"5382b536-fad2-49c6-ac85-9eb2bae49f35","mistral-ai-high-stakes-2026-en","Mistral AI: Facing High Stakes in 2026","2026-03-25T16:31:39.941974+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"9da3d2d6-b669-4971-ba1d-17fdb3548ed5","cursors-meteoric-rise-pressures-en","Cursor's Meteoric Rise Faces Industry Pressures","2026-03-25T16:32:21.899217+00:00"]