Skip to content
Chimera readability score 0.5643 out of 100, reading level.

We wanted to provide you information about a security incident that we became aware of that affects customers who use the Aqua Security Vulnerability scanner (Trivy) across multiple distribution channels including Docker Hub, GitHub, and npm. Between 18:24 UTC on March 19, 2026 and 01:36 UTC on March 23, 2026, Docker Hub customers who pulled the Trivy images with the 0.69.4
, 0.69.5
, 0.69.6
, and latest
tags may have had their CI/CD secrets, cloud credentials, SSH keys, and Docker configurations compromised. Around 08:00 UTC on March 23, 2026, Docker worked with Aqua Security to remove these compromised scanner image versions.
If you downloaded any of these compromised images, you should ensure you are no longer using these images and rotate your affected credentials immediately. This issue was isolated to Aqua Security’s images.
The Docker Hardened Images (DHI) version of the Trivy image, Docker’s infrastructure, and other Docker Hub images were not compromised.
What happened
Starting on March 19, 2026 at 18:24 UTC, threat actors compromised Aqua Security’s CI/CD pipeline to push malware into the aquasec/trivy
vulnerability scanner images with the 0.69.4
and latest
tags on Docker Hub. The infostealer embedded into those images has the potential to exfiltrate CI/CD secrets, cloud credentials, SSH keys, and Docker configurations. Attackers used compromised credentials to push images to Aqua Security’s own repository on Docker Hub through their build system. Since these pushes used Aqua Security’s credentials, they were authenticated by Docker Hub and were indistinguishable from normal Aqua Security activity.
On March 20, 2026 at 03:26 UTC, the attackers re-pointed the latest tag to compromised content after Aqua Security’s initial cleanup.
Another wave of compromised images were uploaded to Docker Hub with 0.69.5
, 0.69.6
and latest
tags on March 22. Starting around 08:00 UTC on March 23, Docker became aware of the compromised images and immediately began to investigate.
The images were deleted by the customer in the following order, preventing any further downloads from Docker Hub:
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3
(tagged with0.69.4
) on Mar 19, 2026 at 22:20 UTCsha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b
(tagged with0.69.5
) on Mar 23rd, 2026 at 01:26 UTCsha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33
(tagged with0.69.6
) on Mar 23rd, 2026 at 1:26 UTC
On Mar 23rd at 15:43 UTC the content of the compromised images was quarantined by Docker, to make them available for internal investigation. Docker reached out to Aqua Security to address the images, confirm credential revocation, and share our findings. Aqua Security was already aware and worked to remove these tags and images from Docker Hub.
The last known clean release is 0.69.3
.
Am I affected?
You may be affected if your systems pulled aquasec/trivy between March 19, 18:24 UTC and March 23, 01:36 UTC if you specifically pulled the tags 0.69.4
, 0.69.5
, or 0.69.6
or you pulled the latest
tag during the affected period.
How to check your environment
- Look for the compromised digests in your local image store, registry mirrors, or Artifactory/Nexus caches:
sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3
sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b
sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33
- If any of these digests are present, you should remove that image and ensure they are running version
0.69.3
, which is the last known good version. - If any of these digests are present, assume credentials on those systems are compromised. As per our current understanding the malware targets:
- Docker registry tokens (
~/.docker/config.json
) - Cloud provider credentials (AWS, GCP, Azure)
- SSH keys, Kubernetes tokens, CI/CD secrets
- Environment variables and
.env
files
- Rotate all credentials accessible from any system that ran the compromised image. Note that a few common Trivy container setup patterns mount the Docker socket (
-v /var/run/docker.sock:/var/run/docker.sock
), which grants the container full access to the host’s Docker daemon and effectively root-level access to the node. If you ran a compromised Trivy image with the Docker socket mounted, treat the entire host as compromised. - Pin to the clean release
aquasec/trivy:0.69.3
or wait for a verified new release from Aqua Security.
If you believe you are affected and need assistance, contact Docker Support.
Other ways you may be affected
Trivy was compromised across multiple distribution channels, including Docker Hub images and GitHub. If you consumed through other channels (such as GitHub Actions – see advisory GHSA-cxm3-wv7p-598c), you should determine if you may have been affected.
Lessons for the ecosystem
This incident highlights learnings for how you may be able to improve your consumption of container images and CI/CD actions:
Mutable tags are not a security boundary. OCI image tags including latest
are mutable pointers that can be overwritten by anyone with push access. This attack succeeded because the latest
tag was silently re-pointed to malicious content multiple times. Organizations should pin images by digest (image@sha256:...
) in production and CI/CD pipelines rather than relying on tags alone. Digest pinning is not sufficient on its own. A pinned digest ensures you pull the same bytes every time; it does not tell you whether those bytes were built by a trusted party from a known source. Where signed provenance attestations are available, organizations should verify them, not just match digests.
Supply chain integrity requires more than scanning. Trivy is a vulnerability scanner, a tool organizations deploy to improve supply chain security. The compromise had nothing to do with a vulnerability in the CVE sense. No software bug was exploited in the Trivy codebase. The attacker stole publishing credentials and used them to push malicious content through a trusted distribution channel. A scanner examining the compromised image would have had no reason to flag it, because the attack was in the publishing process, not the dependency graph. Scanning tells you about known vulnerabilities in image content. It does not tell you whether the image was built by the party you trust, from the source you expect.
Secret rotation must be atomic. When responding to a compromise, revoke all credentials simultaneously before issuing replacements. Partial rotation can leave windows for re-exploitation.
What Docker is doing beyond incident response
The properties that made this attack possible, such as mutable references, unverifiable provenance, trust rooted in credentials rather than build systems, are all problems we have been working on. Here is where that work applies to this incident:
Docker Hardened Images (DHI): The Trivy compromise was possible because a single stolen push token gave the attacker the ability to overwrite trusted image tags on a public registry. For images in the Docker Hardened Images catalog, this class of attack does not apply. Docker rebuilds those images from source in a hermetic build environment rather than pulling and republishing upstream binaries. Each image carries signed provenance attestations that allow consumers to verify who built it, when, and from what source. When the compromise was identified, our team locked DHI builds of Trivy to prevent any auto-update to the compromised upstream release. The exposure was limited to users pulling aquasec/trivy directly from Docker Hub.
Docker Scout: Scout can surface whether any of the three compromised digests listed above are present across your repositories, including in registry mirrors or artifact caches that may have retained copies pulled during the exposure window.
Other resources
Aqua has also published their own incident report at aquasec.com/blog.

Facts Only

Who: Aqua Security, Docker Hub customers
What: Compromised Trivy images, potential data exfiltration
When: March 19 - 23, 2026
Where: Multiple distribution channels (Docker Hub, GitHub, npm)

Executive Summary

A security incident occurred involving the Aqua Security Vulnerability scanner (Trivy) across multiple distribution channels, including Docker Hub, GitHub, and npm. Between March 19, 2026 at 18:24 UTC and March 23, 2026 at 01:36 UTC, Docker Hub customers who pulled Trivy images with the 0.69.4, 0.69.5, 0.69.6, or latest tags may have had their sensitive data compromised. The attackers gained access to Aqua Security's CI/CD pipeline and pushed malware into the Trivy images, potentially exfiltrating credentials, cloud configurations, SSH keys, and Docker configurations. The affected images were removed on March 23, 2026. To ensure safety, users should check their environment for compromised images and rotate affected credentials immediately.

Full Take

The incident highlights the vulnerability of trust rooted in credentials rather than build systems, as a single stolen push token allowed the attacker to overwrite trusted image tags on a public registry. This underscores the importance of secure build environments and verified provenance attestations in preventing similar attacks. It is crucial for users to regularly check their repositories, including registry mirrors or artifact caches, for compromised images and to rotate sensitive data frequently as a precautionary measure.
Patterns detected: ARC-0043 Motte-and-Bailey, ARC-0024 Ambiguity
By focusing on the specific actions of the attacker and their potential impact, the article avoids exaggeration to absurdity or semantic manipulation. However, it does not delve into the motivation behind the attack or the broader implications for cybersecurity practices in the technology industry.

Sentinel — Human

Confidence

The text shows signs of human authorship, with varied sentence length, a passionate tone, and no apparent use of known template patterns. However, the low confidence score indicates that there is still a possibility of machine involvement.

Signals Detected
low severity: variable sentence length and lexical diversity
high severity: passionate framing of the issue, personal voice, and idiosyncratic emphasis
low severity: no apparent use of known template patterns or talking points
Human Indicators
emotional tone and detailed, first-hand account