Trivy Supply Chain Attack Expands to Compromised Docker Images

Key Takeaways

• Compromised Trivy Docker images (tags 0.69.5, 0.69.6, and latest) were published to Docker Hub containing the TeamPCP infostealer.
• The malicious images communicate with a typosquatted C2 domain (scan.aquasecurtiy.org) and exfiltrate data via archives like tpcp.tar.gz.
• The Aqua Security GitHub organization was breached, allowing attackers to create unauthorized repositories prefixed with 'tpcp-docs-'.
• Cached versions of the compromised images may still be pulled from mirrors like mirror.gcr.io even after removal from Docker Hub.
• Organizations using Trivy in CI/CD pipelines during the attack window must treat their environments as compromised and revoke exposed secrets.

Affected Systems

• Trivy Docker images (tags 0.69.4, 0.69.5, 0.69.6, latest)
• CI/CD pipelines utilizing affected Trivy versions
• Aqua Security GitHub Organization

Attack Chain

Attackers compromised the Aqua Security GitHub organization, gaining sufficient access to create unauthorized repositories and modify the Trivy project. They subsequently published malicious Docker images (tags 0.69.4, 0.69.5, 0.69.6) containing the TeamPCP infostealer to Docker Hub. When these images are pulled and executed in CI/CD pipelines, the malware collects sensitive environment data, packages it into artifacts like tpcp.tar.gz and payload.enc, and exfiltrates it to a typosquatted C2 domain (scan.aquasecurtiy.org) or a fallback GitHub repository.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules (YARA, Sigma, etc.) are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR deployed on CI/CD runner hosts may detect anomalous network connections or file creations from the Trivy container, but ephemeral runners often lack full EDR coverage. Network Visibility: High — Connections to the typosquatted domain (scan.aquasecurtiy.org) are highly visible in DNS and proxy logs. Detection Difficulty: Moderate — Detecting the specific C2 domain is straightforward, but identifying compromised ephemeral CI/CD containers retroactively can be difficult without centralized logging of container image digests.

Required Log Sources

• DNS query logs
• Proxy/Firewall logs
• Container registry pull logs
• CI/CD pipeline execution logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search DNS and proxy logs for connections to scan.aquasecurtiy.org originating from CI/CD runner IP ranges.	DNS query logs, Firewall/Proxy logs	Command and Control / Exfiltration	Low
Analyze container registry pull logs and CI/CD execution logs for Trivy image tags 0.69.4, 0.69.5, or 0.69.6.	Container runtime logs, CI/CD pipeline logs	Execution	Low
Look for the creation of files named payload.enc or tpcp.tar.gz within CI/CD workspace directories.	File system creation events (EDR/FIM)	Collection	Low

Control Gaps

• Lack of image digest verification (pinning) in CI/CD pipelines
• Overly permissive egress network access for CI/CD runners
• Reliance on mutable Docker tags (e.g., 'latest')

Key Behavioral Indicators

• DNS queries to scan.aquasecurtiy.org
• Trivy container execution with tags 0.69.4, 0.69.5, 0.69.6
• Creation of tpcp.tar.gz or payload.enc in CI/CD environments

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Pin Trivy Docker images to the known clean release digest (0.69.3).
• Block all network traffic to scan.aquasecurtiy.org.
• Revoke and rotate any credentials, tokens, or secrets exposed to CI/CD pipelines that ran the compromised Trivy versions.
• Clear local Docker caches and CI/CD runner caches to remove potentially compromised Trivy images.

Infrastructure Hardening

• Implement egress filtering for CI/CD runners to restrict outbound connections to known required endpoints.
• Enforce image digest pinning instead of using mutable tags like 'latest' in CI/CD pipelines.

User Protection

• Notify developers to clear local Docker caches to ensure malicious images are not executed locally.

Security Awareness

• Educate DevOps teams on the risks of mutable Docker tags and the importance of verifying software supply chain integrity.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1078 - Valid Accounts
• T1583.001 - Acquire Infrastructure: Domains
• T1048 - Exfiltration Over Alternative Protocol
• T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository

Additional IOCs

• Domains:
  • scan[.]aquasecurtiy[.]org - Typosquatted C2 domain
• Urls:
  • hxxps://github[.]com/tpcp-docs - Fallback GitHub repository
• File Hashes:
  • f69a8a4180c4 (SHA256) - Docker image digest for compromised Trivy 0.69.5 (linux/amd64)
  • 95ff68010357 (SHA256) - Docker image digest for compromised Trivy 0.69.5 (linux/arm64)
  • 4f7a06bb5171 (SHA256) - Docker image digest for compromised Trivy 0.69.5 (linux/ppc64le)
  • edef8e5816ec (SHA256) - Docker image digest for compromised Trivy 0.69.5 (linux/s390x)
• File Paths:
  • payload.enc - Encrypted payload/exfiltration artifact dropped by the malware
  • tpcp.tar.gz - Archive used for staging exfiltrated data
• Other:
  • mirror.gcr.io - Image mirror observed caching and serving the compromised Trivy images after their removal from Docker Hub.
  • tpcp-docs-* - Prefix for unauthorized repositories created within the compromised Aqua Security GitHub organization (e.g., tpcp-docs-tracee, tpcp-docs-aqua-deployer).