Supply Chain Attack via Malicious Trivy Images Leads to Defacement of 44 Aqua Security GitHub Repos
What Happened — Malicious Trivy container‑scanner images (versions 0.69.4‑0.69.6) were published on Docker Hub and contained the TeamPCP infostealer. The compromised images were used to steal a long‑lived service‑account token, which the attacker leveraged to rename and deface all 44 repositories in Aqua Security’s internal GitHub organization within minutes.
Why It Matters for TPRM —
- A supply‑chain breach in a widely‑used scanning tool can cascade to downstream vendors, exposing their internal code and credentials.
- Stolen service‑account tokens give attackers unfettered API access, bypassing typical logging and detection controls.
- Repository defacement signals a foothold that could be expanded to code injection or credential exfiltration affecting your own integrations.
Who Is Affected — Cloud‑native security vendors, SaaS providers that integrate Trivy, and any downstream customers relying on Aqua Security’s open‑source or proprietary tooling.
Recommended Actions —
- Verify that no Trivy images from untrusted registries are used in your CI/CD pipelines.
- Rotate all long‑lived service‑account tokens and enforce short‑lived, scoped credentials.
- Conduct a code‑integrity audit of any Aqua Security components you consume.
- Review your supply‑chain risk program for container‑image provenance and signing.
Technical Notes — The attacker exploited a stolen GitHub service‑account token (Argon‑DevOps‑Mgt) to issue scripted API calls that renamed and altered repository metadata. The initial vector was a malicious Docker Hub image that executed the TeamPCP infostealer, harvesting credentials from CI environments. No public CVE is associated; the vulnerability lies in token management and lack of image signing. Source: Security Affairs