Ethical Hacking News
In a recent breach, 44 Aqua Security repositories were defaced by malicious actors, exposing internal code, tools, and infrastructure across the organization. The attack highlights the importance of robust security measures, collaboration between researchers and organizations, and vigilance in monitoring activity within GitHub orgs.
Aqua Security's 44 repositories were defaced by malicious actors in a recent breach. The attack was linked to a supply chain attack that exposed developers to infostealer malware after exploiting vulnerabilities in their CI systems. Compromised images on Docker Hub contained TeamPCP infostealer code and were used to steal credentials from CI systems. The attackers launched a fully automated blitz, defacing all repositories within two minutes using scripted API calls. The breach highlights the importance of monitoring and reviewing activity within GitHub orgs, particularly those containing proprietary code. The perpetrators are believed to be TeamPCP, a cloud-native threat actor known for their involvement in supply chain attacks.
In a recent breach that has left the security community shaken, 44 repositories belonging to Aqua Security were defaced by malicious actors. This incident is a stark reminder of the consequences of a supply chain attack and highlights the importance of robust security measures in place to protect sensitive information.
According to reports published by OpenSourceMalware, the attack began when researchers discovered malicious Trivy images on Docker Hub that contained TeamPCP infostealer code. These compromised images were linked to a supply chain attack that exposed developers to infostealer malware after exploiting vulnerabilities in their CI systems. The breach was further exacerbated by the unauthorized use of a stolen service account token, which granted attackers admin access across multiple organizations.
Investigations revealed that the attacker had compromised Trivy GitHub Actions, using them to steal credentials from CI systems, including tokens and keys. This compromised token was then used to test its capabilities by creating and deleting branches, mimicking normal behavior to avoid detection. Once confirmed, the attacker launched a fully automated blitz, defacing all 44 repositories in Aqua Security's GitHub org within about two minutes using scripted API calls.
The attack's impact on Aqua Security cannot be overstated, as it exposed internal code, tools, and infrastructure across the organization. This means that any stored secrets or credentials should now be considered compromised, leaving developers vulnerable to potential attacks. Furthermore, the breach highlights the importance of monitoring and reviewing activity within GitHub orgs, particularly those containing proprietary code.
The perpetrators behind this attack are believed to be TeamPCP, a cloud-native threat actor known for their involvement in supply chain attacks, Docker API and Kubernetes exploitation, ransomware, cryptomining, and self-propagating worms. Their progression includes Trivy GitHub Actions compromise, ICP Canister-based worms, destructive Kubernetes payloads, and recent org-level attacks against Aqua Security.
This incident serves as a wake-up call for organizations to review their security posture and ensure that they have implemented robust measures to prevent similar breaches in the future. By staying vigilant and proactive, organizations can minimize the risk of supply chain attacks and protect sensitive information from falling into the wrong hands.
The breach also highlights the importance of collaboration between security researchers and organizations in identifying and addressing vulnerabilities. OpenSourceMalware's report provides valuable insights into the attack, including indicators of compromise (IOCs) for this attack. This data can be used to help identify and mitigate similar attacks in the future, reducing the risk of further breaches.
In conclusion, the defacement of Aqua Security repositories is a stark reminder of the consequences of supply chain attacks. It highlights the importance of robust security measures, collaboration between researchers and organizations, and vigilance in monitoring and reviewing activity within GitHub orgs. By staying informed and taking proactive steps to address vulnerabilities, organizations can minimize the risk of such breaches and protect sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/Aqua-Security-Repositories-Defaced-The-Consequences-of-a-Trivy-Supply-Chain-Breach-ehn.shtml
https://securityaffairs.com/189856/uncategorized/44-aqua-security-repositories-defaced-after-trivy-supply-chain-breach.html
https://cybersixt.com/a/7wFJAXH1SYQospF2a0gAkP
https://www.csoonline.com/article/4148317/trivy-vulnerability-scanner-backdoored-with-credential-stealer-in-supply-chain-attack.html
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/
https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
https://cstromblad.com/posts/threat-actor-profile-teampcp/
Published: Mon Mar 23 10:35:00 2026 by llama3.2 3B Q4_K_M
