Shadow in the Container: How Hackers Hijacked Trivy’s Supply Chain

It started as a routine update. Developers around the world, trusting the safety of open-source, pulled the latest Trivy image from Docker Hub and set their CI/CD pipelines in motion. But beneath the surface, a silent threat lurked - one that would soon send shockwaves through the software supply chain community.

The latest supply chain attack against Aqua Security’s Trivy ecosystem is a stark reminder of how quickly trust can be weaponized. On March 22, two new Docker image tags - 0.69.5 and 0.69.6 - appeared on Docker Hub. Unlike normal releases, these had no corresponding GitHub tags, immediately raising alarms among security analysts.

Socket’s forensic analysis soon confirmed the worst: both images were laced with indicators of compromise linked to the TeamPCP infostealer, a malware strain designed for covert data exfiltration. The attackers had even set up a typosquatted domain, scan.aquasecurity.org, to mimic Aqua Security’s legitimate services, making detection harder for unsuspecting users.

But this wasn’t just a case of code tampering. Researchers found encrypted payloads and references to a fallback GitHub repository, hinting at a sophisticated infrastructure for persistence and ongoing data theft. The “latest” Docker tag - what most users pull by default - was quietly switched to the malicious 0.69.6 image, meaning anyone who updated their Trivy deployment during this window potentially invited malware into their systems without a clue.

The breach appears deeper still. Security researcher Paul McCarty reported evidence that Aqua Security’s internal GitHub repositories may have been exposed, possibly granting attackers privileged access to source code and distribution mechanisms. While the full extent remains under investigation, the compromise of access controls raises the specter of broader, longer-term risk.

The timeline is now clear: version 0.69.3 is the last known safe release. All subsequent versions, including those now deleted from Docker Hub, are confirmed compromised. Yet, experts warn that Docker tags are mutable - meaning even trusted tags can be silently swapped for malicious versions, compounding the risk for organizations with automated pipelines or dependency bots.

In response, open-source maintainers are revoking credentials and adopting more secure publishing workflows. Security teams are urged to audit their pipelines, avoid affected Trivy versions, and treat any recent activity involving these images as potentially hostile. The incident is a chilling lesson in the fragility of supply chain trust, and a rallying cry for better verification and vigilance at every link in the development chain.

As the dust settles, one truth stands out: in a world built on open-source, the smallest gap in trust can become a gateway for widespread compromise. Organizations must not only respond to this breach, but rethink how they validate the very tools that build their future.

WIKICROOK

• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
• Docker Image: A Docker Image is a packaged environment containing all components needed to run an application consistently across different systems and cloud platforms.
• Indicator of Compromise (IOC): An Indicator of Compromise (IOC) is a clue, like a suspicious file or IP address, that signals a system may have been hacked.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.