Trivy Supply Chain Attack Escalates — TeamPCP Pushes Infostealers via Docker Hub, Deploys Kubernetes Wiper Targeting Iranian Systems

The supply chain compromise of Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security, has escalated dramatically — with threat actor TeamPCP pushing malicious Docker images to Docker Hub, defacing Aqua Security's internal GitHub organization, distributing a self-propagating worm across dozens of npm packages, and deploying a Kubernetes wiper that selectively destroys Iranian systems.

The blast radius now spans Docker Hub, GitHub Actions, npm, Kubernetes clusters, and exposed Docker APIs — making this one of the most expansive supply chain attacks targeting the developer security ecosystem.

Malicious Docker Images on Docker Hub

Socket security researchers identified that malicious Trivy images were pushed to Docker Hub as versions 0.69.4, 0.69.5, and 0.69.6 — none of which had corresponding GitHub releases or tags. The last known clean release is 0.69.3.

Both 0.69.5 and 0.69.6 were pushed on March 22 and contained indicators of compromise associated with TeamPCP's infostealer. The malicious images have since been removed from Docker Hub, but any organization that pulled these versions during the window is potentially compromised.

GitHub Organization Defacement

TeamPCP leveraged a compromised service account token — stolen during the earlier Trivy GitHub Actions compromise — to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization.

The attack was executed in a scripted 2-minute burst between 20:31:07 and 20:32:26 UTC on March 22, renaming each repository with a tpcp-docs- prefix, setting all descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.

The compromised Argon-DevOps-Mgt service account bridged both of Aqua Security's GitHub organizations — meaning a single stolen token gave the attacker write and admin access across both.

"One compromised token for this account gives the attacker write/admin access to both organizations," security researcher Paul McCarty confirmed.

CanisterWorm: Blockchain-Backed Self-Propagation

Stolen credentials from the initial Trivy compromise fueled the distribution of CanisterWorm, a self-propagating worm that has compromised dozens of npm packages. The worm uses ICP canisters — tamperproof smart contracts on the Internet Computer Protocol blockchain — for its command-and-control infrastructure, making traditional takedowns ineffective.

This mirrors the blockchain C2 approach ZDW previously covered in the Aeternum C2 botnet, but CanisterWorm adds self-propagation through the npm supply chain — combining two of the most dangerous threat trends into a single campaign.

Kubernetes Wiper Targets Iran

The most alarming payload attributed to TeamPCP is a selective Kubernetes wiper that identifies and destroys Iranian systems:

• On Kubernetes Iranian nodes: Deploys privileged DaemonSets across every node including the control plane, then wipes and force-reboots via a container named kamikaze
• On Kubernetes non-Iranian nodes: Installs CanisterWorm as a systemd service for persistent backdoor access
• On non-Kubernetes Iranian hosts: Executes rm -rf / --no-preserve-root — a complete filesystem destruction command

The wiper also spreads through SSH via stolen keys and exploits exposed Docker APIs on port 2375 across local subnets.

The Irony of Targeting Security Vendors

TeamPCP has built a reputation for targeting cloud infrastructure — exploiting Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers for data theft, ransomware, extortion, and cryptomining. Compromising a cloud security vendor's own vulnerability scanner represents both a tactical escalation and a reputational statement.

"The irony of a cloud security company being compromised by a cloud-native threat actor should not be lost on the industry," OpenSourceMalware noted.

Defender Recommendations

• Pin Trivy to version 0.69.3 immediately — do not use versions 0.69.4, 0.69.5, or 0.69.6 under any circumstances
• Audit CI/CD pipelines — any pipeline that pulled Trivy images or used aquasecurity/trivy-action or aquasecurity/setup-trivy GitHub Actions should be treated as potentially compromised
• Rotate all credentials — any secrets accessible to CI/CD environments that used affected Trivy versions should be rotated immediately
• Scan npm dependencies — check for CanisterWorm indicators in npm packages, particularly recently updated dependencies
• Restrict Docker API exposure — ensure port 2375 is not accessible on local subnets; require TLS authentication for all Docker API access
• Monitor for privileged DaemonSets — alert on unexpected DaemonSet deployments, particularly those with privileged containers or containers named kamikaze
• Audit service account tokens — review all bot and service accounts that bridge multiple GitHub organizations; implement short-lived tokens and least-privilege access
• Block ICP canister traffic — monitor for connections to Internet Computer Protocol infrastructure from non-blockchain workloads