Find notable cyber news and cases, enriched with sources, timelines, and signals.

Aqua Security hit by data theft breach

Incident
First reported
Last updated
Happening score
H score 37
2 unique sources, 3 articles

Summary

Hide ▲

The Aqua Security Trivy incident involved a supply-chain compromise that delivered a credential-stealing infostealer through trusted releases and GitHub Actions. Attackers altered tag and release paths in aquasecurity/trivy-action and aquasecurity/setup-trivy, and Aqua also tied a related Trivy 0.69.4 compromise to unauthorized activity and fallback exfiltration to scan.aquasecurtiy[.]org. The broader campaign expanded on March 22, 2026 with trojanized Docker Hub images for 0.69.4, 0.69.5, and 0.69.6 and public defacement of Aqua repositories under the tpcp-docs- prefix. Wiz later reported that TeamPCP was trying to monetize stolen secrets such as cloud credentials, SSH keys, and Kubernetes configuration files, adding downstream account-takeover and cloud-compromise risk.

Related Happenings

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Megalodon GitHub CI/CD supply-chain campaign

Campaign
H score50 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

GitHub hit by network compromise

Incident
H score42 First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Actions-cool/issues-helper hit by network compromise

Incident
H score45 First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

TeamPCP campaign expands across multiple victims

Campaign
H score49 First: 15.05.2026 13:54 Last: 15.05.2026 13:54 Sources 1

About this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...

Timeline

  1. 23.03.2026 10:31 2 articles · 3mo ago

    TeamPCP expands Trivy campaign with Docker Hub images and Aqua repo defacement

    Campaign Scope Update

    TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.

    Show sources
  2. 20.03.2026 19:47 1 articles · 3mo ago

    Trivy GitHub Actions compromise disclosed

    Initial Disclosure

    Aqua Security's Trivy supply-chain compromise was disclosed after attackers force-pushed 75 of 76 version tags in aquasecurity/trivy-action and seven aquasecurity/setup-trivy tags to malicious commits that delivered a Python infostealer in GitHub Actions runners. The payload targeted CI/CD secrets including SSH keys, cloud credentials, database credentials, Git and Docker configurations, Kubernetes tokens, and cryptocurrency wallets, while a related aquasecurity/trivy release version 0.69.4 also pulled secrets from the runner and could fall back to staging stolen data in the public repository tpcp-docs.

    Show sources