Overview
- Docker, which disclosed Monday it worked with Aqua to pull tainted Trivy images, warned that users who fetched tags 0.69.4, 0.69.5, 0.69.6 or latest between March 19 and early March 23 should assume CI/CD secrets and keys were stolen.
- Attackers used compromised GitHub Actions credentials to publish a trojanized Trivy release and to force-push action tags, planting a TeamPCP infostealer that grabs runner memory, tokens, cloud creds, SSH keys and environment variables.
- Following Saturday’s GitHub Actions abuse, investigators say a long‑lived Argon‑DevOps‑Mgt service account token let the same actor rename and expose all 44 repositories in Aqua’s internal aquasec-com org in a scripted two‑minute burst on Sunday.
- Maintainers list Trivy 0.69.3 as the last known clean image and advise pinning to that version, rotating all tokens and secrets, auditing any recent Trivy, trivy-action or setup-trivy runs, and checking for safe action versions v0.35.0 and v0.2.6.
- Researchers attribute the campaign to TeamPCP and highlight systemic gaps such as mutable Docker tags and long‑lived personal access tokens, urging teams to pin images by digest, verify signed provenance and treat recent pipelines as compromised.