March 19, 2026. That’s the date when one of the most trusted tools in cloud security became a weapon against the very teams using it to stay safe.
Aqua Security’s Trivy vulnerability scanner—a tool millions of developers rely on to find security holes in their code—was compromised in a supply chain attack that affected virtually all versions of the software. The attackers, a group calling themselves “TeamPCP,” managed to inject credential-stealing malware directly into official releases.
Let me be clear about what this means: if you’ve been running Trivy to scan your containers and applications for vulnerabilities, there’s a solid chance you’ve also been running malware designed to steal your credentials.
The Irony Isn’t Lost on Anyone
I’ve tested dozens of security scanners for this site, and Trivy has always been one of the tools I recommend without hesitation. It’s open-source, actively maintained, and does exactly what it promises. Or at least, it did.
The attack highlights something I’ve been warning about for years: we’ve built an entire security ecosystem on trust. We trust our package managers, our base images, our scanning tools. We trust that the software we use to find vulnerabilities isn’t itself vulnerable. That trust just got shattered.
What makes this particularly nasty is the target selection. Trivy isn’t some obscure tool used by a handful of companies. It’s integrated into CI/CD pipelines across thousands of organizations. It runs with elevated permissions. It has access to registries, repositories, and often production credentials. In other words, it’s the perfect vector for a supply chain attack.
What Actually Happened
Based on the available information, TeamPCP managed to compromise the Trivy distribution chain and inject malicious code into the scanner itself. The malware was designed to steal credentials—exactly the kind of sensitive data that security tools routinely access during their normal operation.
The attack was discovered on March 19, 2026, but we don’t yet know how long the compromised versions were in circulation before detection. That’s the terrifying part. Your security scanner could have been exfiltrating credentials for days, weeks, or longer before anyone noticed.
The Bigger Picture
This isn’t an isolated incident. Supply chain attacks have become the preferred method for sophisticated threat actors because they’re efficient. Why break into a thousand companies individually when you can compromise one tool that all thousand companies use?
We saw it with SolarWinds. We saw it with CodeCov. We saw it with ua-parser-js and countless npm packages. Now we’re seeing it with security tools themselves. The pattern is clear: nothing is sacred, and the tools we use to protect ourselves are increasingly becoming the tools used to attack us.
What This Means for Your Toolkit
I’ve spent years testing and reviewing AI and security toolkits for this site. After this incident, I’m rethinking my entire evaluation framework. It’s no longer enough to ask “does this tool work?” We need to ask “can this tool be weaponized against us?”
For Trivy specifically, Aqua Security will need to rebuild trust from the ground up. That means transparent incident reports, clear timelines, and concrete evidence of how they’re preventing this from happening again. Until then, teams using Trivy need to assume compromise and act accordingly.
Check your logs. Rotate your credentials. Review access patterns for anything unusual. And maybe most importantly, reconsider how much trust you’re placing in any single tool, no matter how reputable.
The Uncomfortable Truth
Security tools are software. Software has vulnerabilities. And vulnerabilities get exploited. We can’t scan our way to perfect security when the scanners themselves are compromised.
The Trivy incident is a wake-up call. Not just for Aqua Security, but for everyone building, distributing, and using security tools. The supply chain is the attack surface now, and we’re all exposed.
đź•’ Published: