A security incident has been identified that impacts users who utilize the Aqua Security Vulnerability scanner (Trivy) through various distribution channels like Docker Hub, GitHub, and npm. Between March 19, 2026, and March 23, 2026, certain versions of the Trivy images were compromised, potentially leading to the exposure of CI/CD secrets, cloud credentials, SSH keys, and Docker configurations for Docker Hub customers. Docker, in collaboration with Aqua Security, took immediate action to remove the compromised scanner image versions.
If you have downloaded any of the affected images, it is advised to cease their usage and promptly update any compromised credentials. It is important to note that the Docker Hardened Images (DHI) version of the Trivy image, as well as Docker’s infrastructure and other Docker Hub images, remained unaffected by this incident.
The security breach occurred when threat actors infiltrated Aqua Security’s CI/CD pipeline, injecting malware into the aquasec/trivy vulnerability scanner images with specific tags on Docker Hub. The malicious content had the capability to extract sensitive data like CI/CD secrets, cloud credentials, SSH keys, and Docker configurations. Following the discovery of the compromised images, Docker took swift action to investigate and address the situation.
Users are encouraged to verify if they have been impacted by checking for the compromised image digests in their local image store, registry mirrors, or Artifactory/Nexus caches. If any of the compromised digests are found, it is recommended to remove the images and switch to the last known clean release, which is version 0.69.3. Additionally, affected credentials should be rotated to prevent any further security risks.
Lessons learned from this incident emphasize the importance of securing container images and CI/CD actions. Organizations are advised to avoid relying solely on mutable tags for image identification and instead pin images by digest for enhanced security. Supply chain integrity goes beyond vulnerability scanning, requiring verification of image provenance and source authenticity. In the event of a security breach, secret rotation should be executed comprehensively to prevent any potential vulnerabilities.
Docker has implemented measures to address vulnerabilities in the wake of this incident, including the use of Docker Hardened Images (DHI) and Docker Scout to enhance image security and detection capabilities. For further information, Aqua Security has also released an incident report detailing the supply chain attack on their blog.
In conclusion, maintaining a proactive approach to container image security and supply chain integrity is crucial in safeguarding against potential cyber threats. By adhering to best practices and staying informed about security incidents, organizations can mitigate risks and fortify their systems against malicious actors.
For more Information, Refer to this article.
