Aqua Security Breach - 44 Repositories Defaced by Attackers
Basically, hackers messed with Aqua Security's GitHub, putting developers at risk by using fake software.
Aqua Security faced a major breach as 44 repositories were defaced. Developers using their tools are at risk due to exposed internal code and credentials. Immediate action is needed to secure systems affected by this supply chain attack.
What Happened
On March 22, 2026, a significant breach occurred involving Aqua Security. Researchers discovered that malicious Trivy images were uploaded to Docker Hub, leading to a supply chain attack. Versions 0.69.4 to 0.69.6 of Trivy were found to contain TeamPCP infostealer code, which has serious implications for developers relying on these images. The attackers compromised Aqua Security’s internal GitHub organization and defaced all 44 repositories in a matter of minutes.
The attack was executed rapidly, with attackers renaming repositories and altering descriptions to reflect their ownership. They used a stolen service account token to gain access, marking a troubling escalation in their activities. The compromised organization, aquasec-com, is distinct from Aqua Security’s public open-source organization, making the breach particularly damaging as it exposed proprietary code and internal tools.
Who's Affected
The breach primarily affects developers who utilize Aqua Security's tools and repositories. With internal code and infrastructure exposed, any stored secrets or credentials are now at risk. The incident highlights the vulnerabilities in supply chain security, particularly in open-source environments where developers often trust third-party images without thorough vetting.
Developers using the affected Trivy versions should be particularly vigilant. The rapid nature of the attack indicates that many may not have realized their systems were compromised until it was too late. The implications extend beyond Aqua Security, as the compromised repositories could potentially affect numerous projects relying on their tools.
What Data Was Exposed
The breach resulted in the exposure of sensitive internal code, tools, and infrastructure. Attackers had access to credentials and tokens that could facilitate further exploitation. The rapid defacement of repositories suggests that attackers were able to manipulate a significant amount of data in a very short time.
Given the nature of the attack, any secrets stored within the repositories should now be considered compromised. This includes API keys, service tokens, and any proprietary information that could be leveraged in future attacks. Developers are urged to review their security protocols and assess the impact of this breach on their projects.
What You Should Do
If you are a developer using Aqua Security’s tools, immediate action is required. First, audit your systems for any signs of compromise, particularly if you have used the affected Trivy versions. Change any credentials that may have been exposed during the breach.
Additionally, keep an eye on updates from Aqua Security regarding the incident. They may provide further insights and guidance on how to mitigate risks stemming from this breach. It’s also advisable to enhance your security practices, such as implementing stricter access controls and regularly reviewing third-party dependencies for vulnerabilities.
Security Affairs