On March 19, 2026, a sophisticated supply chain attack was conducted against Aqua Security's Trivy vulnerability scanner, resulting in the injection of credential-stealing malware across several components of the Trivy project, including the core scanner and its GitHub Actions. The threat actor, identified as TeamPCP, executed the attack by making fraudulent commits and pushing malicious versions of the Trivy repository, specifically tagging v0.69.4. This led to the distribution of compromised binaries and scripts through GitHub Releases, Docker Hub, and other channels.