Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Cybersecurity researchers have found harmful files that were spread through Docker Hub after the Trivy supply chain attack This article explores cloud native threat. . This shows that the blast radius is getting bigger across developer environments.

The most recent clean version of Trivy on Docker Hub is 0.69.3. The bad versions 0.69.4, 0.69.5, and 0.69.6 have been taken out of the container image library. Philipp Burckhardt, a Socket security researcher, said, "New image tags 0.69.5 and 0.69.6 were pushed on March 22 without any GitHub releases or tags. Both images have signs of compromise linked to the same TeamPCP infostealer seen in earlier stages of this campaign."

The Argon-DevOps-Mgt service account was the weak link. It was a single bot account that connected two organizations and had a long-lived PAT. "They are building capability and targeting the security vendor ecosystem itself, from cloud exploitation to supply chain worms to Kubernetes wipers."

The fact that a cloud security company was hacked by a cloud-native threat actor should not be lost on the industry.