Listen to this Post
Introduction: A Breach That Refuses to Die
Cyberattacks rarely end with a single intrusion. The most dangerous ones evolve, adapt, and return stronger. That is exactly what happened in the latest attack against Aqua Security, where the TeamPCP hacking group escalated their earlier supply chain compromise into a deeper, more aggressive campaign. What started as a malicious injection into Trivy, a widely trusted security scanner, quickly turned into a broader breach involving Docker images, GitHub repositories, and service account abuse. This incident highlights a harsh reality: even well-prepared organizations can struggle to fully contain persistent attackers once they gain a foothold.
Summary of the Original Incident
The TeamPCP hacking group continued its attack campaign against Aqua Security by expanding its control over the company’s development ecosystem. After initially compromising the GitHub build pipeline for Trivy, the attackers pushed malicious Docker images that contained infostealing malware. These compromised images, labeled as versions 0.69.5 and 0.69.6, appeared on Docker Hub without corresponding official releases, immediately raising suspicion among researchers.
Trivy, a widely trusted open-source vulnerability scanner with tens of thousands of GitHub stars, became the perfect target for a supply chain attack. By tampering with such a widely used tool, attackers could potentially reach thousands of downstream users. Security researchers identified clear indicators of compromise in the rogue images, linking them to TeamPCP’s cloud-based infostealer.
Although Aqua Security had previously responded by rotating secrets and tokens, the mitigation process was incomplete. The attackers exploited this gap, possibly gaining access to newly refreshed credentials during the transition. This allowed them to inject credential-harvesting code into Trivy and distribute infected versions of the tool.
In response, Aqua released clean versions of Trivy and brought in an incident response firm to investigate. However, the situation worsened when additional suspicious activity was detected days later. The attackers had regained access and began tampering with repositories inside Aqua’s GitHub organization.
Further investigation revealed that TeamPCP compromised a service account named Argon-DevOps-Mgt. This account had access to both public and private repositories and relied on a Personal Access Token rather than a more secure GitHub App authentication. Since these tokens behave like long-lived passwords and often lack multi-factor authentication, they became an ideal entry point for attackers.
Using automation, the attackers rapidly modified dozens of repositories, renaming them with a “tpcp-docs-” prefix and changing descriptions to assert control over Aqua Security. They also tested their level of access by briefly creating and deleting branches in public repositories, confirming administrative privileges.
Researchers believe that the attackers obtained the service account’s token using their custom cloud stealer malware, which targets CI/CD environments to extract sensitive credentials such as GitHub tokens, SSH keys, and cloud secrets. Since the service account was used in automated workflows, its credentials were likely exposed in the runtime environment.
Despite the severity of the breach, Aqua Security stated that its commercial products were not impacted due to a controlled integration process that separates them from the open-source version of Trivy. The company continues to investigate and has promised further updates.
What Undercode Say:
The Real Weakness Lies in Automation Trust
Modern DevOps pipelines rely heavily on automation, but this convenience introduces a dangerous assumption: that automated systems are inherently safe. In reality, service accounts often operate with elevated privileges and minimal oversight. When attackers compromise one of these accounts, they effectively gain the keys to the kingdom without triggering traditional user-based security alerts.
Token-Based Authentication Is a Silent Risk
Personal Access Tokens are widely used because they are simple and flexible. However, their longevity and lack of strict binding to specific contexts make them extremely risky. Unlike short-lived tokens issued by modern identity systems, PATs can remain valid for extended periods, giving attackers a wide window to exploit them unnoticed.
Supply Chain Attacks Are Scaling Faster Than Defenses
The attack on Trivy demonstrates how supply chain threats are no longer isolated incidents. They are becoming systematic and repeatable. Attackers are targeting tools that developers trust, knowing that a single compromise can cascade into thousands of environments. This shifts the battlefield from perimeter defense to trust validation.
Docker Tags Are Not a Guarantee of Safety
Many organizations rely on version tags as a sign of authenticity. This incident proves that tags can be manipulated or reused without changing their names. Without cryptographic verification or digest pinning, organizations are essentially trusting labels that can be rewritten by attackers.
CI/CD Environments Are Prime Targets
Continuous integration systems often contain everything an attacker needs: credentials, tokens, environment variables, and deployment logic. Once compromised, these environments become a launchpad for further attacks. The TeamPCP campaign highlights how CI runners can unintentionally leak sensitive data that enables deeper infiltration.
Incident Response Must Be Atomic
Aqua Security’s partial containment effort reveals a critical lesson. Security actions like rotating credentials must be executed atomically. If attackers are still inside the system during rotation, they can capture new secrets as they are generated, effectively resetting their access.
Visibility Gaps Allow Attackers to Re-Enter
The fact that TeamPCP regained access after initial containment suggests a lack of full visibility into the attack surface. Without complete monitoring of all entry points, attackers can maintain persistence through overlooked channels.
Open Source Ecosystems Are High-Value Targets
Projects like Trivy are deeply embedded in development workflows worldwide. Compromising such tools offers attackers a multiplier effect, allowing them to impact not just one organization but an entire ecosystem of users.
Trust Must Be Continuously Verified
The traditional model of “trust once and deploy forever” is no longer viable. Every artifact, update, and dependency must be continuously verified. Zero trust principles must extend beyond networks into software supply chains.
Attack Speed Is Increasing
The attackers modified dozens of repositories in just minutes using automation. This speed makes manual detection nearly impossible. Security teams must rely on automated detection and response systems to keep up.
Separation Between Open Source and Commercial Products Helped
Aqua’s architecture, where commercial products lag behind open-source integration, likely prevented a wider disaster. This controlled pipeline acted as a buffer against immediate propagation of malicious code into enterprise environments.
Defense Requires Layered Security
No single control could have stopped this attack. Preventing similar incidents requires a combination of secure authentication, environment isolation, monitoring, and strict access control policies.
Fact Checker Results
✅ The attackers did push unauthorized Docker images without official releases
✅ A service account using a Personal Access Token was a key entry point
❌ No confirmed impact on Aqua Security’s commercial products so far
Prediction
🔮 Supply chain attacks will increasingly target CI/CD pipelines instead of end-user systems
🔮 Token-based authentication methods like PATs will be phased out in favor of short-lived credentials
🔮 Organizations will adopt stricter artifact verification methods such as signed images and immutable builds
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
