CP
cyberpings
Threat IntelHIGH

Threat Intel - Aqua Security Repositories Defaced by TeamPCP

SASecurity Affairs
TrivyTeamPCPAqua SecurityinfostealerDocker
🎯

Basically, hackers changed Aqua Security's GitHub pages to show they owned them after stealing access.

Quick Summary

Aqua Security's GitHub repositories were defaced after a supply chain attack involving malicious Trivy images. The breach exposed sensitive developer data and internal tools, raising significant security concerns.

The Threat

A recent supply chain attack has led to the defacement of 44 repositories belonging to Aqua Security. On March 22, 2026, researchers discovered that malicious images of Trivy were uploaded to Docker Hub, which contained infostealer malware. Versions 0.69.4 to 0.69.6 were particularly dangerous, as they included code from the TeamPCP group, a known cloud-native threat actor. This breach highlights the vulnerabilities in the software supply chain and the potential risks developers face when using compromised container images.

The attackers used a stolen service account token to gain access, allowing them to rename and deface all repositories in Aqua Security's internal GitHub organization. This incident marks a significant escalation in TeamPCP’s activities, showcasing their ability to execute a fully automated attack in a matter of minutes.

Who's Behind It

The attack was orchestrated by TeamPCP, also known as DeadCatx3, PCPcat, ShellForce, and CanisterWorm. This group has been active in 2025 and 2026, focusing on Docker API and Kubernetes exploitation, along with various forms of cyberattacks including supply chain attacks and ransomware. They have a history of leveraging GitHub Actions to compromise CI systems, making them a formidable threat in the cloud-native ecosystem.

Prior to the attack, TeamPCP tested the stolen token's capabilities by creating and deleting a branch, a tactic designed to avoid detection. This methodical approach allowed them to map out repositories and prepare for the main attack, which involved renaming and defacing the repositories in a matter of minutes.

Tactics & Techniques

The attack followed a clear sequence of events. First, TeamPCP compromised the Trivy GitHub Actions to steal credentials from CI systems, including tokens and keys. They then captured a service account token with admin access across multiple organizations. After confirming their access by mimicking normal behavior, they executed their plan, resulting in the rapid defacement of Aqua Security's repositories.

This incident is particularly concerning because it exposes internal tools and infrastructure, meaning any stored secrets or credentials should now be considered compromised. The automated nature of the attack also indicates a high level of sophistication and planning on the part of TeamPCP.

Defensive Measures

To protect against such threats, organizations should ensure that their CI/CD pipelines are secure. This includes implementing strict access controls and regularly rotating service account tokens. Additionally, monitoring for unusual activity, such as unexpected repository changes or suspicious API calls, can help detect potential breaches early.

Developers using container images should remain vigilant and verify the integrity of the images they pull from repositories like Docker Hub. Utilizing tools that can scan for vulnerabilities and monitor for compromised images is essential in maintaining a secure development environment. By taking these proactive measures, organizations can better defend against supply chain attacks and safeguard their critical assets.

🔒 Pro insight: The rapid defacement of Aqua Security's repositories underscores the need for enhanced monitoring and access control in CI/CD environments to mitigate supply chain risks.

Original article from

Security Affairs · Pierluigi Paganini

Read Full Article

Share

Related Pings

HIGHThreat Intel

Threat Intel - Faster Attacks and Recovery Denial Ransomware

Mandiant's latest report reveals a shift in ransomware tactics and faster cyberattacks. Organizations must adapt to these evolving threats to protect their recovery systems. The implications are significant, as attackers increasingly target critical infrastructure.

CSO Online·
HIGHThreat Intel

Phishing Campaign - Attackers Target Multiple Sectors

A phishing campaign is targeting critical sectors like healthcare and education with fake copyright notices. This poses a serious risk of data breaches. Organizations must act quickly to safeguard sensitive information.

Dark Reading·
HIGHThreat Intel

High-Tech Sector - Overtakes Finance as Cyber Attack Target

In a surprising turn, the high-tech sector has become the top target for cyber-attacks in 2025, surpassing finance. This shift raises concerns for tech companies and their data security. Mandiant's report highlights the need for enhanced cybersecurity measures across industries.

Infosecurity Magazine·
HIGHThreat Intel

Iranian Hackers - Using Telegram for Data Theft Operations

Iranian hackers are using Telegram to target dissidents and journalists. The FBI warns of their deceptive tactics and the potential for significant data theft. Awareness and vigilance are crucial to counter these threats.

TechCrunch Security·
HIGHThreat Intel

Threat Intel - Mandiant's Insights on Evolving Cyber Threats

Mandiant's M-Trends 2026 report reveals how cyber threats are evolving. Organizations face increased risks from ransomware and voice phishing tactics. Understanding these trends is vital for improving security measures and defending against sophisticated attacks.

Mandiant Threat Intel·
HIGHThreat Intel

Trivy Supply Chain Attack - New Compromised Docker Images Found

Aqua Security's Trivy vulnerability scanner faces a serious threat as new compromised Docker images are discovered. Developers using these images in CI/CD pipelines must act quickly to mitigate risks. The TeamPCP threat group is behind this attack, highlighting the ongoing challenges in securing software supply chains.

Infosecurity Magazine·