Urgent: Docker Supply Chain Attack & Critical Vulnerabilities Demand Imm…

The Unfolding Threat: Docker Supply Chain Under Attack

In the rapidly evolving landscape of containerized applications, the integrity of our software supply chain is paramount. Today, we face a stark reminder of this critical dependency: a sophisticated supply chain attack has compromised official images of Aqua Security’s widely-used Trivy vulnerability scanner on Docker Hub. This incident, unfolding between March 19 and March 23, 2026, saw malicious versions of Trivy injected with an infostealer, capable of exfiltrating sensitive CI/CD secrets, cloud credentials, SSH keys, and Docker configurations. For every engineer leveraging Docker Hub in their development and deployment pipelines, this is not merely news—it’s an urgent call to action.

Compounding this immediate threat, Docker has also recently rolled out Docker Desktop 4.66.0, which includes critical security patches for CVE-2026-2664 and CVE-2026-28400. These vulnerabilities, affecting core components of Docker Desktop, underscore the ongoing need for vigilance and timely updates. As senior technology analysts, our role is to dissect these events, provide deep technical insights, and equip engineering teams with actionable strategies to safeguard their containerized ecosystems.

Background Context: The Anatomy of a Supply Chain Compromise

Aqua Security’s Trivy is an indispensable tool for many DevOps and security teams, providing comprehensive vulnerability scanning for container images, file systems, and Git repositories. Its integration into CI/CD pipelines is a standard practice for ensuring code and image security before deployment. Docker Hub, as the world’s largest library and community for container images, serves as a central distribution point for countless applications and tools, including Trivy itself.

The recent attack originated with the compromise of Aqua Security’s CI/CD pipeline. Threat actors, identified as TeamPCP, leveraged stolen credentials to push backdoored versions of the aquasec/trivy vulnerability scanner to Docker Hub. These malicious images were uploaded with tags 0.69.4, 0.69.5, 0.69.6, and the highly critical latest tag, making them appear as legitimate updates. This type of attack, where trusted software is tampered with at its source, represents one of the most insidious threats to modern software development, directly undermining the trust developers place in public registries.

Docker, upon becoming aware of the compromised images around 08:00 UTC on March 23, 2026, promptly investigated and worked with Aqua Security to remove the malicious versions. However, the window of exposure for users who pulled these images between March 19, 2026, at 18:24 UTC, and March 23, 2026, at 01:36 UTC, is significant.

Deep Technical Analysis: Vulnerabilities and Attack Vectors

Trivy Supply Chain Attack: The Infostealer Threat

The core of the Trivy compromise lies in the embedded infostealer malware. This malicious payload was designed to target and exfiltrate highly sensitive information crucial to CI/CD operations and cloud infrastructure. Specifically, it sought: CI/CD secrets, cloud credentials, SSH keys, and Docker configurations. The nature of the attack, leveraging Aqua Security’s own credentials to push images to their official repository, highlights a critical weakness in many supply chain models: reliance on credential security and the immutability of tags. While Docker Hub tags are convenient, they are not immutable, meaning a latest tag can be repointed to a compromised image, as occurred in this incident. The last known clean release of Trivy is 0.69.3.

Docker Desktop 4.66.0: Addressing Core Platform Vulnerabilities

Concurrent with the supply chain incident, Docker Desktop has released version 4.66.0, incorporating crucial security fixes. This release updates the Docker Engine to v29.3.0 and the NVIDIA Container Toolkit to v1.19.0. More importantly, it addresses two significant CVEs:

• CVE-2026-2664: Out-of-Bounds Read in grpcfuse Kernel Module. This vulnerability, present in the Linux VM within Docker Desktop for Windows, Linux, and macOS, affects versions up to and including 4.61.0. It involves an insufficient boundary check when processing input written to /proc/docker entries, allowing local attackers to cause an out-of-bounds read. While initially categorized with a high confidentiality impact, the potential for information disclosure from kernel memory regions makes this a significant privilege escalation concern.
• CVE-2026-28400: Runtime Flag Injection in Docker Model Runner. This flaw impacts Docker Model Runner (DMR) versions prior to 1.0.16, which is enabled by default in Docker Desktop since version 4.46.0. DMR exposes an unauthenticated POST /engines/_configure endpoint that accepts arbitrary runtime flags. An attacker with network access to the Model Runner API can inject the --log-file flag, enabling the writing or overwriting of arbitrary files accessible to the Model Runner process. In specific configurations, this can be converted into a container escape, allowing an attacker to break out of the containerized environment.

The Docker Engine v29.3.0 update, bundled with Desktop 4.66.0, also introduces foundational architectural changes for Linux users running Docker Engine directly on their hosts. These include the Containerd image store becoming the default for new installations, an increased minimum API version (v1.44), and experimental support for NFTables. These changes aim to simplify architecture, improve ecosystem alignment, and enhance future-proofing for Docker Engine.

Practical Implications for Development and Infrastructure Teams

The immediate and long-term implications of these events are substantial:

• Compromised Credentials: Any CI/CD pipeline or local development environment that pulled Trivy images with tags 0.69.4, 0.69.5, 0.69.6, or latest between March 19 and March 23, 2026, must assume its credentials (CI/CD secrets, cloud credentials, SSH keys, Docker configurations) are compromised. This necessitates immediate credential rotation and a thorough audit of any systems that might have been accessed using these credentials.
• Supply Chain Vulnerability: This incident highlights the inherent risks of relying solely on public registries and mutable tags. It reinforces the need for robust supply chain security practices beyond just scanning for known CVEs within an image.
• Local Environment Security: The CVEs in Docker Desktop demonstrate that even local development environments are targets. Privilege escalation and container escape vulnerabilities can provide attackers with a foothold into developer machines or underlying host systems.

Best Practices and Mitigation Strategies

Immediate Action for Trivy Users:

1. Verify Image Digests: Do not rely on image tags alone. Always verify the SHA256 digest of your Trivy images against known clean versions.
2. Rollback/Update: Revert to Trivy version 0.69.3 or ensure you are using a verified clean version released after the incident. Aqua Security has worked to remove compromised images, but verification is key.
3. Credential Rotation: Immediately rotate all CI/CD secrets, cloud credentials, SSH keys, and Docker authentication tokens that could have been exposed if you pulled the compromised Trivy images.
4. Audit Access: Review audit logs for any suspicious activity on your cloud accounts or CI/CD systems during the exposure window.

General Docker Security Best Practices:

1. Update Docker Desktop: Promptly update to Docker Desktop 4.66.0 or newer to mitigate CVE-2026-2664 and CVE-2026-28400.
2. Enable Enhanced Container Isolation (ECI): For Docker Desktop users, enabling ECI can block container access to Model Runner, preventing exploitation of CVE-2026-28400.
3. Implement Docker Content Trust (DCT): Utilize DCT to cryptographically sign and verify images, ensuring that only trusted images are pulled and run. This helps prevent tampering and ensures image integrity from source to deployment.
4. Least Privilege in CI/CD: Ensure your CI/CD pipelines operate with the absolute minimum necessary permissions. Limit the scope of credentials and access tokens.
5. Regular Image Scanning: While Trivy itself was compromised, the principle of continuous vulnerability scanning remains crucial. Integrate robust scanners into your pipeline to detect known vulnerabilities in your application images.
6. Monitor Docker Hub Activity: For organizations, monitor Docker Hub for unusual activity, especially pushes to critical repositories.
7. Immutable Tags/Digests: Wherever possible, pin your Docker images by their immutable SHA256 digests rather than mutable tags like latest. This ensures reproducibility and prevents unexpected malicious updates.
8. Network Segmentation: Isolate build environments and production environments to limit the blast radius of any compromise.

Actionable Takeaways for Teams

• Development Teams:
  • Review and update all Dockerfiles and CI/CD configurations to explicitly pin Trivy (and other critical tools) to known good SHA256 digests, not just tags.
  • Prioritize updating Docker Desktop to version 4.66.0 to address local vulnerabilities.
  • Implement local scanning of images before pushing to registries.
• Infrastructure/Ops Teams:
  • Conduct an immediate audit of all systems that may have pulled compromised Trivy images and initiate a full credential rotation.
  • Enforce Docker Content Trust policies across your organization.
  • Ensure all Docker Engine installations, especially those on Linux hosts leveraging v29.3.0, are configured securely, considering the new containerd image store default and experimental NFTables support.
  • Review and strengthen network policies to limit outbound connections from build agents and containerized applications.

Related Internal Topic Links

• Container Supply Chain Security: Beyond Basic Scanning
• Implementing Docker Content Trust: A Step-by-Step Guide
• Advanced CI/CD Security Practices for Cloud-Native Applications

Forward-Looking Conclusion

The recent Trivy supply chain attack and the ongoing discovery of critical vulnerabilities like CVE-2026-2664 and CVE-2026-28400 serve as potent reminders that container security is a perpetual, evolving challenge. As containerization becomes the backbone of modern software, attackers will increasingly target the very tools and registries we rely upon. Proactive security measures, continuous vigilance, and rapid response to emerging threats are no longer optional but fundamental to maintaining the integrity and availability of our systems. By adopting a defense-in-depth strategy, embracing immutable infrastructure principles, and fostering a strong security culture, engineering teams can navigate these complex threats and build more resilient, secure applications on Docker.

Sources

• docker.com
• docker.com
• infosecurity-magazine.com
• bleepingcomputer.com
• securityaffairs.com
• docker.com
• sentinelone.com
• docker.com
• nist.gov
• medium.com
• docker.com