Trivy supply-chain attack spreads to Docker, GitHub repos
Source: Bleeping Computer
Overview
The TeamPCP hackers behind the Trivy supply‑chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company’s GitHub organization to tamper with dozens of repositories. This follows the threat actor compromising the GitHub build pipeline for Trivy, Aqua Security’s scanner, to deliver infostealing malware in a supply‑chain attack that extended to Docker Hub over the weekend.
Trivy has more than 33,800 stars on GitHub and is widely used for detecting vulnerabilities, misconfigurations, and exposed secrets across software artifacts and infrastructure.
Compromised Docker Images
Supply‑chain security company Socket says in a report on Sunday that it identified compromised Trivy artifacts published to Docker Hub.
“New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags,” Socket researchers say. According to their analysis, the two images contain indicators of compromise related to the infostealer that TeamPCP pushed after gaining access to Aqua Security’s GitHub organization.
The researchers note that the last known Trivy release is 0.69.3 and warn that even if they did not see any evidence of older images or binaries being modified after publication, Docker Hub tags are not immutable, and organizations should not rely solely on tag names for integrity.
Breaching AquaSec’s GitHub
On March 20, Aqua Security said that the threat actor gained access to the company’s GitHub organization due to incomplete containment of a previous incident targeting the same tool at the beginning of the month.
“We rotated secrets and tokens, but the process wasn’t atomic and attackers may have been privy to refreshed tokens,” – Aqua Security
This allowed the attacker to inject credential‑harvesting code (TeamPCP Cloud stealer) into Trivy and publish malicious versions of the tool. Aqua responded by publishing new, safe versions of Trivy on March 20 and engaging the incident‑response firm Sygnia for remediation and forensic investigation.
Via an update published today, Aqua noted additional suspicious activity on March 22, indicating that the same threat actors re‑established unauthorized access and performed “unauthorized changes and repository tampering.” The company emphasized that Trivy itself was not impacted at that time.
An analysis from OpenSourceMalware explains that TeamPCP gained access to the aquasec‑com GitHub organization (where Aqua Security hosts proprietary code) separate from the public aquasecurity organization. Using an automation script, the hackers added the prefix tpcp‑docs‑ to all 44 repositories in the private organization and changed their descriptions to read “TeamPCP Owns Aqua Security.”
The researchers have high confidence that the attacker compromised a service account named Argon‑DevOps‑Mgt, which had access to both GitHub organizations. The account authorized actions based on a Personal Access Token (PAT) of a standard user instead of a GitHub App. PAT authentication functions like a password and remains valid longer than a GitHub App token, and the service account lacked multi‑factor authentication (MFA).
To demonstrate admin permissions, TeamPCP created a new update-plugin-links-v0.218.2 branch in the public aquasecurity/trivy-plugin-aqua repository and deleted it “at the exact same second.” The researchers believe the PAT for the Argon‑DevOps‑Mgt service account was obtained using the TeamPCP Cloud stealer, which collects GitHub tokens, SSH keys, cloud credentials, and environment variables from CI runners.
“As a service account that triggers workflows on trivy‑plugin‑aqua, its token was present in the runner environment,” – OpenSourceMalware
OpenSourceMalware has provided a set of indicators of compromise to help defenders determine if their environments have been impacted by the supply‑chain attack.
Aqua Security states that it has no evidence that the Trivy version used in its commercial products has been impacted. “By design, the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.” The company pledged to share updates as new details emerge.