Trivy Supply Chain Attack Expands to Compromised Docker Images

Socket's threat research team has identified additional compromised Trivy artifacts published to Docker Hub, following the recently disclosed GitHub Actions compromise affecting the aquasecurity/trivy-action repository.

New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign. The latest tag currently points to 0.69.6, which is also compromised.

Analysis of the binaries confirms the presence of known IOCs, including the typosquatted C2 domain scan.aquasecurtiy.org, exfiltration artifacts (payload.enc, tpcp.tar.gz), and references to the fallback tpcp-docs GitHub repository.

As part of the broader incident, security researcher Paul McCarty noted that the Aqua Security GitHub organization appeared to have been exposed, suggesting that internal repository access may have been temporarily made public during the attack. While the full scope of this exposure remains unclear, it further indicates the level of access obtained by the attacker.

At this time:

• 0.69.3 remains the last known clean release
• 0.69.4 was the initial compromised release (since removed)
• 0.69.5 and 0.69.6 are newly identified compromised Docker images

Based on registry timelines, we do not have evidence that older Docker images or binaries (≤0.69.3) were modified after publication. However, Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity.

A search for “trivy” on Docker Hub returns thousands of images, including official builds, CI/CD integrations, and third-party derivatives. These images are not inherently compromised, but those that automatically pulled or rebuilt against affected Trivy versions during the attack windows may have incorporated malicious binaries, expanding the potential impact beyond the official images.

Organizations are already taking precautionary steps in response to the incident.
A maintainer of multiple widely used open source tools that depend on Trivy, who asked to remain anonymous, told us they have revoked all tokens and adopted trusted publishing practices.

Organizations should review their use of Trivy in CI/CD pipelines, avoid affected versions, and treat any recent executions as potentially compromised.

You can track affected artifacts and ongoing activity in our campaign pages for the Trivy GitHub Actions compromise and the related Canisterworm campaign.