CYBERSECURITY researchers have traced malicious Docker Hub artefacts tied to the Trivy supply chain attack, with new image tags 0.69.5 and 0.69.6 pushed on March 22 without GitHub releases or tags and containing indicators of compromise linked to the TeamPCP-associated infostealer observed earlier in this campaign.
The effort followed a broader supply chain compromise of Trivy, the Aqua Security open‑source scanner, which allowed threat actors to push a credential stealer within trojanised tool images and related GitHub Actions workflows.
The attackers used stolen data to compromise dozens of npm packages and deploy a self-propagating worm known as CanisterWorm; the incident is believed to be the work of TeamPCP, with OpenSourceMalware stating that 44 Aqua Security internal repositories were defaced and renamed to a tpcp-docs- prefix.
For this operation, a compromised Argon-DevOps-Mgt service account was used to access both GitHub orgs, and a forensic note from OpenSourceMalware attributes the attack vector to a stolen service account token bridging two organisations.
In addition, a new payload linked to TeamPCP has been observed to wipe Kubernetes clusters in Iran, deploying DaemonSets across nodes and using a CanisterWorm backdoor on non-Iranian hosts, while the researchers warn organisations to review Trivy usage in CI/CD pipelines and avoid affected versions.