How TeamPCP turned Aqua Security's own Trivy scanner into a weapon against millions of developers

How TeamPCP turned Aqua Security's own Trivy scanner into a weapon against millions of developers

Open source is under attack with a new wave of supply chain attacks. It has been a bad, bad few weeks for open-source security.  It all started on March 19, 2026, when a severe supply chain attack on the Aqua Security Trivy vulnerability scanner occurred, as hackers, TeamPCP, compromised the project’s continuous integration and delivery (CI/CD) pipeline and GitHub repositories repeatedly. Once in,  the attackers trojanized Trivy binaries and act…

CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog

CISA has officially added a critical vulnerability affecting Aquasecurity’s Trivy scanner to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2026-33634, this alarming security flaw poses a severe risk to software development pipelines. By exploiting this vulnerability, threat actors can gain unauthorized access to highly sensitive Continuous Integration and Continuous Deployment (CI/CD) environments. Organizations relying on Tr…