Signal

Trivy supply chain attack spreads infostealer via Docker amid TeamPCP’s wiper campaign in Iran

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-23 08:31 UTCUpdated 2026-03-23 15:43 UTC

rss

cveexploitsmalwarethreat_actorsincident_responsesecurity_tooling

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (4)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

krebsonsecurity · News · krebsonsecurity.com · 2026-03-23 15:43 UTC

Trivy Supply Chain Attack Expands With New Compromised Docker Images

Infosecurity Magazine · News · infosecurity-magazine.com · 2026-03-23 15:05 UTC

Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

SecurityWeek · News · securityweek.com · 2026-03-23 13:40 UTC

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

The Hacker News · News · thehackernews.com · 2026-03-23 08:31 UTC

View all evidence

Overview

The Trivy vulnerability scanner was compromised through a supply chain attack involving malicious Docker images (versions 0.69.4 to 0.69.6) that distributed the TeamPCP infostealer malware, impacting CI/CD environments.

Score total

1.49

Momentum 24h

4

Posts

4

Origins

4

Source types

1

Duplicate ratio

0%

Why now

Malicious Trivy Docker images were recently removed, indicating ongoing active exploitation.
TeamPCP’s CanisterWorm campaign against Iran emerged just this past weekend, highlighting a new wave of destructive cyberattacks.
The convergence of supply chain compromise and targeted wiper attacks signals increasing sophistication of cybercrime groups.

Why it matters

Supply chain attacks on widely used security tools like Trivy can compromise developer environments and CI/CD pipelines.
TeamPCP’s use of cloud infrastructure exploits and wiper malware represents a growing threat to organizations in geopolitically sensitive regions.
Understanding these tactics aids in improving cloud security posture and incident response readiness.

LLM analysis

Recurring claims

Trivy Docker images versions 0.69.4 to 0.69.6 were compromised and distributed TeamPCP infostealer malware.
TeamPCP launched CanisterWorm, a worm that wipes data on Iranian systems by exploiting cloud infrastructure vulnerabilities.

How sources frame it

The Hacker News: neutral
Krebsonsecurity: neutral

All evidence

All evidence

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

krebsonsecurity · krebsonsecurity.com · 2026-03-23 15:43 UTC

Trivy Supply Chain Attack Expands With New Compromised Docker Images

Infosecurity Magazine · infosecurity-magazine.com · 2026-03-23 15:05 UTC

Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

SecurityWeek · securityweek.com · 2026-03-23 13:40 UTC

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

The Hacker News · thehackernews.com · 2026-03-23 08:31 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 4 / 0

Top publishers (this list)

krebsonsecurity (1)
Infosecurity Magazine (1)
SecurityWeek (1)
The Hacker News (1)

Top origin domains (this list)

krebsonsecurity.com (1)
infosecurity-magazine.com (1)
securityweek.com (1)
thehackernews.com (1)