Trivy Supply Chain Attack Expands With New Compromised Docker Images

A new set of compromised Docker images linked to the Trivy supply chain attack has been identified, expanding the impact of the incident across developer environments and CI/CD pipelines. On March 19, 2026, threat actors compromised Aqua Security's Trivy vulnerability scanner version 0.69.4, injecting credential-stealing malware into official releases and GitHub Actions.  Since, security researchers from Socket have found that additional malicious artifacts were distributed through Docker Hub after attackers gained access through a GitHub Actions compromise. The newly identified image tags, 0.69.5 and 0.69.6, were uploaded on March 22 without corresponding GitHub releases. A new analysis, published on March 22 by Socket researchers, showed both images contained indicators of compromise (IOC) associated with the TeamPCP infostealer previously observed in the campaign. The latest tag currently points to version 0.69.6, which is also confirmed to be compromised. On Monday, March 23, Aqua Security, which owns Trivy, published an update about the ongoing investigation and confirmed  the team identified additional suspicious activity on Sunday, March 22, involving unauthorized changes and repository tampering.  "Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior," the Aqua security update said.  Compromised Versions Identified Multiple versions of Trivy distributed through Docker Hub have been affected. While older versions appear unaffected, security teams warned that Docker tags are not immutable and should not be relied upon for integrity verification. The known status of affected versions includes: 0.69.3 remains the last known clean release 0.69.4 was the initial compromised release and has been removed 0.69.5 and 0.69.6 were later identified as compromised images The malicious binaries contained typosquatted command-and-control (C2) domains, exfiltration files and references to attacker-controlled repositories used during the campaign. GitHub Firm Exposure and Expanding Threat Activity The incident appears to have escalated beyond Docker images. Researchers reported that an internal GitHub organization linked to Aqua Security was briefly exposed, with dozens of repositories renamed and made public during the attack. Investigators believe the attacker used a compromised service account token that had access to multiple GitHub organizations. Read more on supply chain attacks: Supply Chain Breaches Impact Almost All Firms Globally, BlueVoyant Reveals The repositories were reportedly modified in a scripted burst lasting roughly two minutes, suggesting automated activity rather than manual intrusion. The compromised account is believed to have been previously exposed during the earlier GitHub Actions breach. The attack has also been linked to broader malicious activity associated with the aforementioned TeamPCP threat group. Investigators say the group has expanded its operations beyond credential theft to include worm propagation, ransomware deployment, cryptocurrency mining and destructive attacks targeting Kubernetes environments. Socket warned that organizations using Trivy in CI/CD pipelines should review recent activity and treat recent scans as potentially compromised.  There is no indication that Aqua Security’s commercial products were impacted by this incident, including Trivy as delivered within the Aqua Platform.