BRIEF

Supply Chain · ActiveRisk: CriticalRegion: GlobalHub: Global IntelligenceBrief #00339Priority Score: 95Supply Chain · ActiveRisk: CriticalRegion: GlobalHub: Global IntelligenceBrief #00339Priority Score: 95

Aqua Security Trivy Supply Chain Attack Leads to Repository Defacement and Infostealer Distribution

CRITICAL RISK

BRIEF #00339

Supply Chain Global Global Intelligence

Aqua Security Trivy Supply Chain Attack Leads to Repository Defacement and Infostealer Distribution

March 23, 2026 at 06:03 PM

Priority95

Technology · Software Development · Cloud Infrastructure

2.2

Always First

Executive Risk Brief

CRITICAL RISK

Incident Type

Supply Chain

Risk Level

Critical

Affected Sectors

Technology, Software Development, Cloud Infrastructure

Geographic Impact

Global

Severity Index

95 / 100

ALERT

Immediate Enterprise Concern

Organizations using Trivy versions 0.69.4 through 0.69.6 or automated CI/CD pipelines pulling from Aqua Security repositories must immediately audit for credential compromise and unauthorized code execution.

2.3

Incident Overview

What Happened

The TeamPCP threat group successfully compromised Aqua Security's supply chain, specifically targeting the Trivy vulnerability scanner. Attackers distributed malicious versions (0.69.4–0.69.6) containing infostealer malware via official releases and Docker Hub. Furthermore, the actors hijacked the Aqua Security GitHub organization, defacing 44 repositories and pushing unauthorized tags to manipulate automated build processes.

◆

2.4

Strategic Impact

Why It Matters

This incident represents a severe supply chain compromise that weaponized a trusted security tool to deliver malware directly into developer environments. By targeting CI/CD pipelines, the attackers gained the potential to harvest sensitive credentials and inject malicious code into downstream software products. The breadth of the repository defacement indicates a significant breach of administrative access within the vendor's development infrastructure.

◆

2.5

Conditional Advisory

Citizen Safety Summary

Live Citizen Advisory · Global

Supply Chain Safety Alert

Est. Reports Filed

Score 95

Active Since

Mar 23, 2026

Sectors Targeted

Technology, Software Development

If you are a software developer or use the Trivy security tool, please be aware that recent versions (0.69.4 to 0.69.6) were compromised by hackers to steal your login information. You should immediately stop using these versions, delete any associated container images, and rotate any credentials that may have been stored in environments where these tools were active.

2.6

Operational Directives

QPulse Advisory Block

Immediate Action

Time-sensitive · Act now

Immediately purge Trivy versions 0.69.4-0.69.6 from all container registries and local environments; rotate all credentials, API keys, and secrets that were present in systems where these versions were deployed.

Monitoring Recommendation

Detection & visibility

Monitor CI/CD logs for unauthorized repository access, unexpected tag pushes, or anomalous outbound network traffic originating from build servers.

Preventive Control

Reduce attack surface

Implement strict image signing and verification (e.g., Cosign) to ensure the integrity of container images before deployment and enforce MFA on all service accounts linked to GitHub and Docker Hub.

Governance Consideration

Policy & compliance

Adopt a 'Zero Trust' approach to third-party tooling by implementing software bill of materials (SBOM) analysis and sandboxing automated build processes to limit the blast radius of potential supply chain compromises.

QPulseIntelligence

Advisory purposes only · QPulse Security Intelligence Platform · 2026 · Brief #00339

2.2

Always First

Executive Risk Brief

CRITICAL RISK

Incident Type

Supply Chain

Risk Level

Critical

Affected Sectors

Technology, Software Development, Cloud Infrastructure

Geographic Impact

Global

Severity Index

95 / 100

ALERT

Immediate Enterprise Concern

2.3

Incident Overview

What Happened

◆

2.4

Strategic Impact

Why It Matters

◆

2.5

Conditional Advisory

Citizen Safety Summary

Live Citizen Advisory · Global

Supply Chain Safety Alert

Est. Reports Filed

Score 95

Active Since

Mar 23, 2026

Sectors Targeted

Technology, Software Development

2.6

Operational Directives

QPulse Advisory Block

Immediate Action

Time-sensitive · Act now

Monitoring Recommendation

Detection & visibility

Monitor CI/CD logs for unauthorized repository access, unexpected tag pushes, or anomalous outbound network traffic originating from build servers.

Preventive Control

Reduce attack surface

Implement strict image signing and verification (e.g., Cosign) to ensure the integrity of container images before deployment and enforce MFA on all service accounts linked to GitHub and Docker Hub.

Governance Consideration

Policy & compliance

QPulseIntelligence

Advisory purposes only · QPulse Security Intelligence Platform · 2026 · Brief #00339