The tool you trusted to find vulnerabilities in your code just became one, and that’s exactly as bad as it sounds.
On March 19, 2026, Aqua Security’s Trivy scanner—one of the most widely adopted open-source security tools in existence—got hit with a supply chain attack that compromised virtually all versions of the software. A threat actor calling themselves TeamPCP used stolen credentials to push out malicious releases, specifically version 0.69.4, packed with code designed to exfiltrate sensitive data from anyone who installed it.
Let me be clear about what this means: the thing you installed to protect yourself was actively working against you. That’s not a theoretical risk or a minor hiccup. That’s a complete inversion of trust.
The Irony Burns
Trivy scans containers and code repositories for known vulnerabilities. It’s the kind of tool that security-conscious teams run religiously, often integrated directly into CI/CD pipelines. Developers and DevOps engineers rely on it to catch problems before they ship to production. Now those same teams have to wonder what data walked out the door because they did the responsible thing and used a security scanner.
The attack itself wasn’t particularly sophisticated in execution—compromised credentials are about as old-school as supply chain attacks get. But the target selection? That shows someone who understands exactly where to hit for maximum impact. You don’t go after a niche tool used by three companies. You go after something embedded in thousands of development workflows across the industry.
Supply Chain Attacks Are the New Normal
This isn’t an isolated incident. We’ve seen this pattern repeat with increasing frequency. Attackers have figured out that compromising one widely-used tool gives them access to everyone who depends on it. The math is simple: why break into a thousand companies individually when you can poison the well they all drink from?
What makes the Trivy compromise particularly nasty is the nature of what these tools access. Security scanners need broad permissions to do their job. They read your code, access your repositories, connect to your registries. They’re supposed to be trustworthy because they’re handling sensitive information by design. When that trust gets violated, the blast radius is enormous.
What This Means for You
If you’re running Trivy in any capacity, you need to assume compromise and act accordingly. Check your logs. Rotate your credentials. Audit what data your security tools can access and whether they actually need all those permissions. The answer is probably no, but we tend to grant broad access because it’s easier than thinking through the principle of least privilege.
More broadly, this incident should force a conversation about how we handle security tooling. We’ve built an ecosystem where open-source tools are critical infrastructure, but we haven’t built the security practices to match that reality. Aqua Security isn’t some fly-by-night operation—they’re a legitimate security company, and they still got compromised through credential theft.
The Uncomfortable Truth
Every tool in your security stack is a potential attack vector. Your vulnerability scanner, your dependency checker, your code analysis platform—they all have elevated access and broad permissions. They’re all targets, and they’re all potentially compromised until proven otherwise.
That’s not paranoia. That’s pattern recognition.
The Trivy attack is still ongoing as teams work through remediation. Aqua Security is investigating and releasing updates, but the damage is done for anyone who pulled down version 0.69.4 or ran it in their environment. The data that got exfiltrated isn’t coming back. The credentials that got exposed need to be rotated. The trust that got broken takes even longer to rebuild.
Security tools are supposed to make us safer. When they become the attack vector instead, we’re not just back to square one—we’re behind it. And that’s exactly where TeamPCP wanted us.
đź•’ Published: