Trivy Docker images 0.69.5/0.69.6 confirmed compromised

TL;DR — Newly published aquasec/trivy Docker Hub tags were compromised, meaning CI jobs that pull Trivy by mutable tag may have executed an infostealer inside build runners.

What happened

Trivy is a widely used open-source vulnerability scanner for containers and related artifacts, commonly embedded into CI/CD pipelines to gate builds and releases.

Socket reported that new Trivy image tags 0.69.5 and 0.69.6 were pushed to Docker Hub without corresponding GitHub releases/tags, and that these images contain indicators tied to the TeamPCP infostealer campaign; Socket also notes that the Docker Hub latest tag points to 0.69.6, which is compromised. (socket.dev)

Socket’s analysis calls out concrete compromise artifacts including the typosquatted C2 domain scan.aquasecurtiy.org, exfiltration artifacts (payload.enc, tpcp.tar.gz), and references to a fallback GitHub repository (tpcp-docs). (socket.dev)

Separately, StepSecurity states it confirmed the C2 domain by extracting the Trivy binaries from aquasec/trivy:0.69.5 and aquasec/trivy:0.69.6 and finding the hardcoded domain via strings analysis (validated in a controlled GitHub Actions workflow). (stepsecurity.io)

This is an S-tier supply-chain failure mode for platform teams: scanners and CI helpers run in high-trust contexts (runner secrets, repo tokens, registry credentials), and Docker tags are mutable, so “we pinned a version tag” is not a real integrity control during an incident. (socket.dev)

Who is impacted

• Any org that pulled or executed aquasec/trivy from Docker Hub by tag (especially latest) during the window where compromised tags were available. (socket.dev)
• CI/CD environments where Trivy runs with access to secrets (e.g., ${{ secrets.* }}, GITHUB_TOKEN, cloud credentials, registry credentials).
• Downstream systems that automatically rebuild or republish images/tools by “pull latest scanner” patterns (supply-chain amplification risk). (socket.dev)

What to do now

• Follow vendor remediation guidance and assume a CI/CD execution of a compromised scanner image is a credentials-exposure event.
• Avoid relying on Docker tags for integrity; Socket explicitly warns that Docker Hub tags are not immutable and orgs should not rely solely on tag names. (socket.dev)
• If you suspect your org executed compromised Trivy artifacts, use the vendor’s incident guidance:

  "If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately." (github.com)

• Consider blocking network indicators the vendor called out:

  "We also recommend that you block the C2 domain scan[.]aquasecurtiy[.]org and IP 45.148.10.212 at your network perimeter." (github.com)

• Inventory and triage impact fast:
  • Identify pipelines that reference aquasec/trivy (and whether they pulled by tag vs digest).
  • Review CI logs for suspicious outbound calls and unexpected archive/artifact creation consistent with exfiltration tooling.
• For incident narrative and containment assumptions, note Aqua’s own acknowledgment that the March 19 event was a follow-on where initial containment was incomplete:

  "Our containment of the first incident was incomplete." (github.com)