{"id":351,"date":"2026-03-23T09:37:13","date_gmt":"2026-03-23T09:37:13","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=351"},"modified":"2026-03-23T09:37:13","modified_gmt":"2026-03-23T09:37:13","slug":"trivy-hack-spreads-infostealer-via-docker-triggers-worm-and-kubernetes-wiper","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=351","title":{"rendered":"Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 23, 2026<\/span><\/span>Cloud Security \/ DevOps<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments.<\/p>\n

The last known clean release of Trivy<\/a> on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library.<\/p>\n

\u00abNew image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign,\u00bb Socket security researcher Philipp Burckhardt said<\/a>.<\/p>\n

The development comes in the wake a supply chain compromise of Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, allowing the threat actors to leverage a compromised credential to push a credential stealer within trojanized versions of the tool and two related GitHub Actions \u00abaquasecurity\/trivy-action\u00bb and \u00abaquasecurity\/setup-trivy.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The attack has had downstream impacts, with the attackers leveraging the stolen data to compromise dozens of npm packages to distribute a self-propagating worm known as CanisterWorm. The incident is believed to be the work of a threat actor tracked as TeamPCP.<\/p>\n

<\/p>\n

According to the OpenSourceMalware team, the attackers have defaced all 44 internal repositories associated with Aqua Security’s \u00abaquasec-com<\/a>\u00bb GitHub organization by renaming each of them with a \u00abtpcp-docs-\u00bb prefix, setting all descriptions to \u00abTeamPCP Owns Aqua Security,\u00bb and exposing them publicly.<\/p>\n

All the repositories are said to have been modified in a scripted 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. It’s been assessed with high confidence that the threat actor leveraged a compromised \u00abArgon-DevOps-Mgt\u00bb service account for this purpose.<\/p>\n

\u00abOur forensic analysis of the GitHub Events API points to a compromised service account token \u2014 likely stolen during TeamPCP’s prior Trivy GitHub Actions compromise \u2014 as the attack vector,\u00bb security researcher Paul McCarty said<\/a>. \u00abThis is a service\/bot account (GitHub ID 139343333, created 2023-07-12) with a critical property: it bridges both GitHub orgs.\u00bb<\/p>\n

\u00abOne compromised token for this account gives the attacker write\/admin access to both organizations,\u00bb McCarty added.<\/p>\n

The development is the latest escalation from a threat actor that’s has built a reputation for targeting cloud infrastructures, while progressively building capabilities to systemically exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal data, deploy ransomware, conduct extortion, and mine cryptocurrency.<\/p>\n

Their growing sophistication is best exemplified by the emergence of a new wiper malware that spreads through SSH via stolen keys and exploits exposed Docker APIs on port 2375 across the local subnet.<\/p>\n

A new payload attributed to TeamPCP has been found to go beyond credential theft to wiping entire Kubernetes (K8s) clusters located in Iran. The shell script uses the same ICP canister linked to CanisterWorm and then runs checks to identify Iranian systems.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abOn Kubernetes: deploys privileged DaemonSets across every node, including control plane,\u00bb Aikido security researcher Charlie Eriksen said<\/a>. \u00abIranian nodes get wiped and force-rebooted via a container named ‘kamikaze.’ Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non-K8s Iranian hosts get ‘rm -rf \/ –no-preserve-root.'\u00bb<\/p>\n

Given the ongoing nature of the attack, it’s imperative that organizations review their use of Trivy in CI\/CD pipelines, avoid using affected versions, and treat any recent executions as potentially compromised.<\/p>\n

\u00abThis compromise demonstrates the long tail of supply chain attacks,\u00bb OpenSourceMalware said. \u00abA credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization. The Argon-DevOps-Mgt service account \u2014 a single bot account bridging two orgs with a long-lived PAT \u2014 was the weak link.\u00bb<\/p>\n

\u00abFrom cloud exploitation to supply chain worms to Kubernetes wipers, they are building capability and targeting the security vendor ecosystem itself. The irony of a cloud security company being compromised by a cloud-native threat actor should not be lost on the industry.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Mar 23, 2026Cloud Security \/ DevOps Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer…<\/p>\n","protected":false},"author":1,"featured_media":352,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[136,637,695,822,666,798,800,823,821],"class_list":["post-351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-docker","tag-hack","tag-infostealer","tag-kubernetes","tag-spreads","tag-triggers","tag-trivy","tag-wiper","tag-worm"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=351"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/352"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}