Commissioned, Curated and Published by Russ. Researched and written with AI.
On March 22, 2026, all 44 repositories in the aquasec-com GitHub organization were simultaneously renamed and defaced. Every repo received the prefix tpcp-docs- and the description “TeamPCP Owns Aqua Security.” According to researchers at OpenSourceMalware.com, the entire operation took roughly two minutes.
This is a direct escalation of the Trivy supply chain breach. The attacker – operating under the TeamPCP alias – had already compromised Trivy’s GitHub Actions pipeline to steal credentials from CI systems. The defacement represents what happens when a stolen credential with admin-level access is left alive long enough to be weaponized at scale.
The Attack Chain
The aquasec-com org (GitHub ID 203123164, created March 2025) is not Aqua Security’s well-known open-source org aquasecurity (ID 12783832, created 2015, 219 public repos). OpenSourceMalware researchers describe aquasec-com as Aqua’s internal org for proprietary code – making the exposure more damaging than a public-repo defacement would be.
Investigators traced the breach to a compromised service account named Argon-DevOps-Mgt, which held admin access across multiple organizations. Hours before the defacement, the attacker tested the stolen token: creating a branch, then immediately deleting it – confirming write access while minimizing detectable activity. Seven hours later, the main attack ran. A scripted sequence of API calls renamed and redescribed all 44 repositories in about two minutes. The activity remained largely invisible in standard logs.
Why Long-Lived Tokens Keep Losing
The Argon-DevOps-Mgt account relied on a long-lived access token. That is the single most common thread in credential-based supply chain attacks: not a zero-day, not a sophisticated bypass, but a token that was never rotated. Long-lived tokens accumulate risk over time. The longer they exist, the more places they get copied – CI configs, environment variables, engineer laptops, third-party integrations.
Once TeamPCP had the token – likely captured via the compromised Trivy GitHub Actions workflow – they had everything they needed. The admin scope meant no privilege escalation was required. The test-and-execute pattern (branch creation hours before the main attack) suggests operational discipline, not opportunism. They confirmed access, waited, then moved.
What Is Actually Compromised
The defacement itself is recoverable. GitHub org metadata can be reverted. The deeper problem is what else was accessible to that service account. The breach exposed internal code, tools, and infrastructure across Aqua’s proprietary org. According to the researchers, any secrets stored in those repositories – tokens, API keys, deployment credentials – should now be considered compromised.
That scope matters. Aqua Security builds security tooling that is embedded in CI/CD pipelines across the industry. If the attacker extracted credentials from internal repositories, the blast radius extends well beyond Aqua’s own infrastructure.
TeamPCP’s Trajectory
TeamPCP – also tracked as DeadCatx3, PCPcat, ShellForce, and CanisterWorm – is a cloud-native threat actor active throughout 2025 and 2026. Their capabilities span Docker API and Kubernetes exploitation, supply chain attacks, ransomware, cryptomining, and self-propagating worms. The progression from compromising a GitHub Actions workflow to defacing an internal org’s 44 repositories in a single automated run represents a clear escalation in operational maturity.
What started as malicious Trivy images on Docker Hub (versions 0.69.4 through 0.69.6, since removed) has become a multi-stage campaign with confirmed access to Aqua’s internal infrastructure. The defacement is theatrical – naming 44 repositories is a statement. But the real concern is what the attacker chose not to make visible.
What to Do
If your CI/CD pipeline uses Trivy, audit which versions you are pulling and from where. Pin to specific image digests rather than mutable tags. If you ran Trivy versions 0.69.4 through 0.69.6 from Docker Hub, treat those containers as potentially compromised.
Rotate any service account tokens that carry admin scope across multiple repositories – particularly long-lived ones. Audit org-level permissions. A single admin token with write access across an entire GitHub org is not a CI/CD requirement. It is a blast radius waiting to fire.
The two-minute defacement window is not the threat. The seven-hour quiet window before it is.