The cybersecurity community is reeling from an escalating supply chain attack targeting Trivy, Aqua Security’s popular open-source vulnerability scanner with over 33,800 GitHub stars. The threat actor known as TeamPCP has expanded their campaign from compromised GitHub Actions to Docker Hub images and now a destructive Kubernetes wiper that specifically targets Iranian infrastructure.
The Attack Timeline
The attack began in late February 2026 when TeamPCP exploited a misconfiguration in Trivy’s GitHub Actions environment, extracting a privileged access token (PAT) that provided access to both of Aqua Security’s GitHub organizations.
Key developments include:
- GitHub Actions Compromise: Attackers hijacked 75 tags of aquasecurity/trivy-action and aquasecurity/setup-trivy to inject credential-stealing malware
- Docker Hub Poisoning: Malicious Trivy versions 0.69.4, 0.69.5, and 0.69.6 were pushed to Docker Hub on March 22 without corresponding GitHub releases
- Repository Defacement: All 44 repositories in Aqua Security’s internal aquasec-com GitHub organization were renamed with tpcp-docs- prefixes and descriptions changed to TeamPCP Owns Aqua Security
- npm Worm: Stolen credentials enabled the distribution of a self-propagating worm called CanisterWorm across 47 npm packages
The Kubernetes Wiper: A Destructive Turn
Perhaps most alarming is the emergence of a new wiper malware that specifically targets Kubernetes clusters located in Iran. According to Aikido security researcher Charlie Eriksen, the payload performs geographic checks and deploys devastating actions:
- On Kubernetes: Deploys privileged DaemonSets across every node including control plane
- Iranian nodes are wiped and force-rebooted via a container named kamikaze
- Non-Iranian nodes receive the CanisterWorm backdoor as a systemd service
- Non-K8s Iranian hosts receive destructive file system wipe commands
The malware spreads through SSH via stolen keys and exploits exposed Docker APIs on port 2375 across the local subnet.
Technical Analysis: How the Breach Occurred
The attack leveraged a single point of failure: a service account named Argon-DevOps-Mgt (GitHub ID 139343333) that bridged both of Aqua Security’s GitHub organizations. This service account used a Personal Access Token (PAT) for authentication instead of a more secure GitHub App token.
Key weaknesses exploited:
- PAT tokens function like passwords with longer validity periods
- Service accounts typically lack multi-factor authentication (MFA)
- A single compromised token provided write/admin access to both organizations
- Docker Hub tags are not immutable allowing attackers to push malicious images
The defacement of all 44 internal repositories occurred in a scripted 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026.
Indicators of Compromise
Organizations should immediately review:
- Trivy Docker images: Avoid versions 0.69.4, 0.69.5, and 0.69.6
- Last known clean release: 0.69.3
- GitHub Actions: Pin actions by commit SHA, not tags
- CI/CD pipelines: Treat recent Trivy executions as potentially compromised
Why This Matters
This incident represents a devastating irony: a cloud security company being compromised by a cloud-native threat actor. TeamPCP has demonstrated sophisticated capabilities targeting the security vendor ecosystem itself, building capability across cloud exploitation, supply chain worms, and Kubernetes wipers.
CrowdStrike’s analysis provides critical guidance: Pin your actions by committing SHA, monitor your CI/CD runners with the same rigor as production hosts, and treat any code that runs in your pipeline as code that runs in your infrastructure.
Aqua Security’s Response
Aqua Security has engaged incident response firm Sygnia and states their investigation is actively focused on validating that all access paths have been identified and fully closed. The company reports no evidence that commercial products were impacted due to a controlled integration process that lags the open-source Trivy.
The last known clean Trivy release is 0.69.3. Organizations should immediately audit their CI/CD pipelines and treat any recent Trivy executions as potentially compromised.
This is a developing story. Updates will be provided as new information emerges.
