On March 22, 2025, Aqua Security detected unauthorized Docker image tags for Trivy—their widely-used container vulnerability scanner—appearing without corresponding GitHub releases. The investigation revealed that TeamPCP, a hacking group, had compromised a service account and gained complete access to Aqua's GitHub repositories. This breach exposed critical gaps in token lifecycle management and authentication controls that many DevOps teams face.
What Happened
TeamPCP compromised a service account named Argon-DevOps-Mgt, gaining unauthorized access to Aqua Security's GitHub organization. The attackers pushed two malicious Docker image tags—0.69.5 and 0.69.6—to Trivy's registry on March 22. The last legitimate Trivy release was 0.69.3. The unauthorized images appeared in Docker Hub without corresponding source code releases or Git tags in the official repository, triggering Aqua's detection.
The attackers achieved full repository access through a single compromised token. No multi-factor authentication protected the service account, and there was no token rotation policy to limit the credential's lifetime. The service account held organization-wide permissions rather than scoped access to specific repositories.
Timeline
March 22, 2025 (Time Unknown): TeamPCP gains access via compromised Argon-DevOps-Mgt service account.
March 22, 2025: Attackers push unauthorized Docker images tagged 0.69.5 and 0.69.6 to Trivy registry.
March 22, 2025: Aqua Security detects discrepancy between Docker image tags and GitHub releases.
Post-Detection: Aqua Security initiates incident response, revokes compromised credentials, and begins forensic analysis.
The speed of compromise—from initial access to malicious image publication—demonstrates how quickly a single credential failure can affect your supply chain.
Which Controls Failed or Were Missing
No Multi-Factor Authentication on Service Accounts: The Argon-DevOps-Mgt account used a static token without additional authentication factors. Anyone with the token gained full access.
Excessive Token Permissions: The service account held organization-level access rather than repository-specific permissions. A token scoped to CI/CD operations should not grant write access to all repositories.
No Token Rotation Policy: The compromised token had no expiration date or automated rotation schedule. Long-lived credentials create expanding attack windows.
Insufficient Monitoring for Anomalous Publishing Activity: The system allowed Docker image publication without corresponding Git tags or releases. This mismatch should have triggered immediate alerts.
Missing Pre-Commit Verification: No automated check prevented Docker images from being published without matching source code commits and version tags in the repository.
What the Standards Require
NIST 800-53 Rev 5 IA-2(1) requires multi-factor authentication for network access to privileged accounts. Service accounts performing CI/CD operations qualify as privileged—they write to production repositories and publish artifacts consumed by thousands of downstream users.
NIST 800-53 Rev 5 IA-5(7) mandates that authenticators have a defined lifetime. Your tokens should expire. The control specifically addresses unattended systems and automated processes—exactly the context where service accounts operate.
ISO 27001 Annex A.9.2.1 (Access provisioning) requires that access rights be granted according to the principle of least privilege. Organization-wide write access violates this requirement. Your CI/CD service account needs write access to specific repositories during release workflows, not blanket permissions across your entire codebase.
SOC 2 Type II CC6.1 (Logical and Physical Access Controls) requires that the entity implements logical access security measures to protect against threats from sources outside its system boundaries. This includes monitoring for unauthorized changes to code repositories and published artifacts.
PCI DSS v4.0.1 Requirement 7.2.2 states that access is assigned based on job classification and function, limited to least privileges necessary. Even if you're not processing payment data, this principle applies: your build account shouldn't have the same permissions as your security team.
Lessons and Action Items for Your Team
Implement MFA for All Service Accounts: GitHub, GitLab, and Azure DevOps all support device-based authentication flows for service accounts. Configure your CI/CD runners to use OIDC tokens with short lifetimes rather than static personal access tokens. This eliminates the "token in a config file" vulnerability entirely.
Scope Every Token to Specific Repositories: Review your service account permissions today. If a token shows "Full control of repositories" or organization-level access, you're overprovisioned. Create separate tokens for separate workflows: one for building Trivy, another for publishing documentation, a third for dependency updates. Each should access only the repositories it needs.
Set Token Expiration to 90 Days Maximum: Shorter is better. Some teams rotate weekly. Your automation should handle token refresh automatically—if it can't, that's a separate problem to solve. Document your rotation schedule and set calendar reminders until automation is in place.
Monitor for Publish/Release Mismatches: Write a daily check that compares your Docker registry tags against Git tags. Alert when new images appear without corresponding source releases. This detection method is what caught the Aqua breach—make it automatic.
Require Signed Commits for Release Workflows: Configure branch protection rules that require GPG-signed commits before any CI/CD workflow can publish artifacts. This prevents an attacker with repository access from triggering malicious builds.
Log and Alert on Permission Changes: Any modification to service account permissions should generate an immediate alert to your security team. These changes are rare in normal operations—they're bright red flags during an attack.
The Aqua Security breach demonstrates that your repository security is only as strong as your weakest service account. Review your token inventory this week. The attackers already know which accounts lack MFA.
