Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Yikes — a major supply chain attack hit Trivy on March 22, pushing malicious Docker images that steal credentials and spread like wildfire. This isn't just a data leak; it's a full-blown cloud nightmare with worm capabilities and Kubernetes wipers in the mix.

The attack leveraged compromised Docker images to deploy infostealers, siphoning off sensitive credentials from cloud environments. Once inside, the malware acts like a worm, self-propagating across networks and even triggering destructive wipers in Kubernetes clusters.

Key details: The malicious images were distributed via Trivy's official channels, making them look legit. Attackers used this to bypass security checks and embed malware that exfiltrates data to remote servers. The worm component scans for vulnerable containers and Kubernetes nodes, spreading laterally and deploying wipers that can wipe entire clusters.

This is a stark reminder that even trusted open-source tools like Trivy aren't immune to compromise. The attack highlights critical vulnerabilities in container security and the cascading effects of supply chain breaches in modern cloud-native setups.

If you're running Trivy or similar container scanning tools, check your images ASAP. Verify hashes, audit your pipelines, and assume breach — because in this game, one compromised image can take down your entire stack.