Critical Supply Chain Breach: Malicious Trivy Images and Aqua Security GitHub Compromise Expose DevOps Weaknesses + Video

Introduction: A Silent Breach Escalates into a Full-Scale Supply Chain Crisis

A new wave of cyberattacks has shaken the cloud-native ecosystem, exposing just how fragile modern software supply chains can be. What began as suspicious container images on Docker Hub quickly escalated into a coordinated breach targeting internal infrastructure. The incident highlights a growing trend where attackers no longer aim at end-users directly but instead exploit the tools developers trust every day. This attack, attributed to the threat actor known as TeamPCP, demonstrates a calculated and automated approach that blends stealth, speed, and deep knowledge of DevOps environments.

Summary: Malicious Containers and Automated GitHub Takeover Signal Coordinated Attack

Security researchers uncovered several malicious versions of Trivy hosted on Docker Hub, specifically versions 0.69.4 through 0.69.6. These compromised images were later removed, but not before raising serious concerns about a supply chain attack. The injected payload contained code linked to the TeamPCP infostealer, a tool designed to extract sensitive data from infected systems. The most alarming detail was that these suspicious image tags had no corresponding releases on GitHub, making them highly deceptive and difficult to verify for unsuspecting developers.

The situation escalated further when the OpenSourceMalware research team reported a breach within Aqua Security’s internal GitHub organization. Unlike their public-facing repositories, this internal organization hosted proprietary code, making the attack significantly more damaging. Within minutes, all 44 repositories were defaced. Each repository was renamed with a “tpcp-docs-” prefix and updated with a uniform message claiming ownership by TeamPCP.

The attack was executed with remarkable speed and precision. Investigators determined that the entire operation was completed in approximately two minutes using automated scripts that leveraged GitHub’s API. This level of automation allowed the attackers to simultaneously modify repository names and descriptions while avoiding detection in standard logging systems.

Further analysis revealed that the breach originated from a compromised service account named Argon-DevOps-Mgt. This account had administrative privileges across multiple organizations, making it a highly valuable target. The attackers likely obtained a long-lived access token associated with this account, which provided persistent access once compromised. Prior to launching the full attack, the threat actors tested the token by briefly creating and deleting a branch. This subtle action mimicked normal developer behavior, allowing them to verify access without triggering alarms.

The attack chain shows a clear progression. Initially, TeamPCP compromised Trivy GitHub Actions workflows. Through this entry point, they harvested credentials from continuous integration systems, including API keys and tokens. After securing access, they mapped out repository structures and prepared scripts to automate their actions. The final stage involved executing the defacement attack across all repositories simultaneously.

The breach exposed not only internal code but also potentially sensitive infrastructure details and credentials stored within those repositories. As a result, any secrets present in the compromised environment must now be considered exposed. This includes API keys, authentication tokens, and possibly deployment configurations.

TeamPCP, also known under several aliases such as DeadCatx3, PCPcat, ShellForce, and CanisterWorm, has been active throughout 2025 and 2026. The group is known for exploiting Docker APIs and Kubernetes environments, often combining supply chain attacks with cryptomining, ransomware, and self-propagating malware. Their recent activities show a clear evolution toward more destructive and high-impact operations, targeting not just systems but entire organizational infrastructures.

What Undercode Say: Deep Analysis of the Attack Strategy and Industry Implications

The real story here is not just about a compromised GitHub organization or a few malicious Docker images. This incident reveals a structural weakness in how modern software is built, distributed, and trusted. Developers today rely heavily on automation, third-party tools, and prebuilt images. That convenience, while powerful, creates an invisible attack surface that is difficult to monitor and even harder to secure.

TeamPCP’s strategy reflects a deep understanding of DevOps pipelines. Instead of brute force or traditional intrusion methods, they targeted CI systems, where secrets are often stored and reused. CI environments are designed for speed and efficiency, not strict security isolation. This makes them ideal targets for attackers seeking credentials that can unlock broader access.

The use of GitHub Actions as an entry point is particularly significant. These workflows often run with elevated permissions and interact with multiple services. Once compromised, they can act as a bridge between repositories, container registries, and deployment environments. This effectively turns a single vulnerability into a multi-system compromise.

Another critical aspect is the use of long-lived tokens. In many organizations, service accounts are granted persistent credentials for convenience. These tokens are rarely rotated and often lack strict monitoring. Once leaked, they provide attackers with ongoing access without the need for repeated exploitation. In this case, the attackers demonstrated patience by testing the token quietly before executing the full attack hours later.

The automation of the attack is also worth noting. Completing a full organizational defacement in under two minutes suggests premeditation and scripting sophistication. This is not opportunistic hacking; it is engineered disruption. The attackers likely mapped out every repository and prepared API calls in advance, ensuring a synchronized execution that minimized response time from defenders.

The mismatch between Docker tags and GitHub releases highlights another overlooked issue: verification gaps in software distribution. Many developers assume that official-looking images are trustworthy, especially when hosted on widely used platforms. However, without strict validation mechanisms, attackers can introduce malicious versions that blend seamlessly into legitimate workflows.

From a broader perspective, this attack underscores the shift toward supply chain warfare in cybersecurity. Instead of targeting individual companies directly, attackers compromise widely used tools and platforms, amplifying their impact. A single compromised tool like Trivy can potentially affect thousands of organizations downstream.

The exposure of internal repositories is particularly damaging because it goes beyond code. Internal repositories often contain deployment scripts, infrastructure configurations, and embedded secrets. Even if the code itself is not sensitive, the context it provides can be invaluable for future attacks.

This incident also raises questions about monitoring and detection. The fact that such a large-scale modification could occur with minimal logging visibility suggests that current detection systems are not equipped to handle API-driven attacks. Traditional security tools often focus on user activity, not automated scripts operating through legitimate channels.

Ultimately, this breach is a wake-up call for organizations relying on cloud-native ecosystems. Security can no longer be treated as an afterthought or a separate layer. It must be integrated into every stage of the development pipeline, from code creation to deployment. Without that shift, incidents like this will not only continue but become more frequent and more damaging.

Fact Checker Results

✅ Malicious Trivy versions were identified and linked to infostealer code
✅ GitHub organization defacement occurred rapidly via automated API scripts
❌ No confirmed evidence that all exposed secrets have been actively exploited yet

Prediction

📊 Increased adoption of short-lived tokens and stricter CI/CD security policies
📊 Rise in supply chain-focused attacks targeting developer tools and pipelines
📊 Greater investment in real-time monitoring of API-based repository activities