da Agency

Trivy supply chain compromise: What Docker Hub users should know

We wanted to provide you information about a security incident that we became aware of that affects customers who use the Aqua Security Vulnerability scanner (Trivy) across multiple distribution channels including Docker Hub, GitHub, and npm. Between 18:24 UTC on March 19, 2026 and 01:36 UTC on March 23, 2026, Docker Hub customers who pulled the Trivy images with the 0.69.4, 0.69.5, 0.69.6, and latest tags may have had their CI/CD secrets, cloud credentials, SSH keys, and Docker configurations compromised. Around 08:00 UTC on March 23, 2026, Docker worked with Aqua Security to remove these compromised scanner image versions.

If you downloaded any of these compromised images, you should ensure you are no longer using these images and rotate your affected credentials immediately. This issue was isolated to Aqua Security’s images.

The Docker Hardened Images (DHI) version of the Trivy image, Docker’s infrastructure, and other Docker Hub images were not compromised.

What happened 

Starting on March 19, 2026 at 18:24 UTC, threat actors compromised Aqua Security’s CI/CD pipeline to push malware into the aquasec/trivy vulnerability scanner images with the 0.69.4 and latest tags on Docker Hub. The infostealer embedded into those images has the potential to exfiltrate CI/CD secrets, cloud credentials, SSH keys, and Docker configurations. Attackers used compromised credentials to push images to Aqua Security’s own repository on Docker Hub through their build system. Since these pushes used Aqua Security’s credentials, they were authenticated by Docker Hub and were indistinguishable from normal Aqua Security activity.

On March 20, 2026 at 03:26 UTC, the attackers re-pointed the latest tag to compromised content after Aqua Security’s initial cleanup.

Another wave of compromised images were uploaded to Docker Hub with 0.69.5, 0.69.6 and latest tags on March 22. Starting around 08:00 UTC on March 23, Docker became aware of the compromised images and immediately began to investigate.

The images were deleted by the customer in the following order, preventing any further downloads from Docker Hub:

sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3 (tagged with 0.69.4)  on Mar 19, 2026 at 22:20 UTC

sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b (tagged with 0.69.5) on Mar 23rd, 2026 at 01:26 UTC

sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33 (tagged with 0.69.6) on Mar 23rd, 2026 at 1:26 UTC

On Mar 23rd at 15:43 UTC the content of the compromised images was quarantined by Docker, to make them available for internal investigation. Docker reached out to Aqua Security to address the images, confirm credential revocation, and share our findings. Aqua Security was already aware and worked to remove these tags and images from Docker Hub.

The last known clean release is 0.69.3. 

Am I affected?

You may be affected if your systems pulled aquasec/trivy between March 19, 18:24 UTC and March 23, 01:36 UTC if you specifically pulled the tags 0.69.4, 0.69.5, or 0.69.6 or you pulled the latest tag during the affected period.

How to check your environment

Look for the compromised digests in your local image store, registry mirrors, or Artifactory/Nexus caches:

sha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3

sha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b

sha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33

If any of these digests are present, you should remove that image and ensure they are running version 0.69.3, which is the last known good version.

If any of these digests are present, assume credentials on those systems are compromised. As per our current understanding the malware targets:

Docker registry tokens (~/.docker/config.json)

Cloud provider credentials (AWS, GCP, Azure)

SSH keys, Kubernetes tokens, CI/CD secrets

Environment variables and .env files

Rotate all credentials accessible from any system that ran the compromised image. Note that a few common Trivy container setup patterns mount the Docker socket (-v /var/run/docker.sock:/var/run/docker.sock), which grants the container full access to the host’s Docker daemon and effectively root-level access to the node. If you ran a compromised Trivy image with the Docker socket mounted, treat the entire host as compromised.

Pin to the clean release aquasec/trivy:0.69.3 or wait for a verified new release from Aqua Security.

If you believe you are affected and need assistance, contact Docker Support.

Other ways you may be affected

Trivy was compromised across multiple distribution channels, including Docker Hub images and GitHub. If you consumed through other channels (such as GitHub Actions – see advisory GHSA-cxm3-wv7p-598c), you should determine if you may have been affected.

Lessons for the ecosystem

This incident highlights learnings for how you may be able to improve your consumption of container images and CI/CD actions:Mutable tags are not a security boundary. OCI image tags including latest are mutable pointers that can be overwritten by anyone with push access. This attack succeeded because the latest tag was silently re-pointed to malicious content multiple times. Organizations should pin images by digest (image@sha256:…) in production and CI/CD pipelines rather than relying on tags alone. Digest pinning is not sufficient on its own. A pinned digest ensures you pull the same bytes every time; it does not tell you whether those bytes were built by a trusted party from a known source. Where signed provenance attestations are available, organizations should verify them, not just match digests. Supply chain integrity requires more than scanning. Trivy is a vulnerability scanner, a tool organizations deploy to improve supply chain security. The compromise had nothing to do with a vulnerability in the CVE sense. No software bug was exploited in the Trivy codebase. The attacker stole publishing credentials and used them to push malicious content through a trusted distribution channel. A scanner examining the compromised image would have had no reason to flag it, because the attack was in the publishing process, not the dependency graph. Scanning tells you about known vulnerabilities in image content. It does not tell you whether the image was built by the party you trust, from the source you expect. Secret rotation must be atomic. When responding to a compromise, revoke all credentials simultaneously before issuing replacements. Partial rotation can leave windows for re-exploitation.

What Docker is doing beyond incident response

The properties that made this attack possible, such as mutable references, unverifiable provenance, trust rooted in credentials rather than build systems, are all problems we have been working on. Here is where that work applies to this incident:

Docker Hardened Images (DHI): The Trivy compromise was possible because a single stolen push token gave the attacker the ability to overwrite trusted image tags on a public registry. For images in the Docker Hardened Images catalog, this class of attack does not apply. Docker rebuilds those images from source in a hermetic build environment rather than pulling and republishing upstream binaries. Each image carries signed provenance attestations that allow consumers to verify who built it, when, and from what source. When the compromise was identified, our team locked DHI builds of Trivy to prevent any auto-update to the compromised upstream release. The exposure was limited to users pulling aquasec/trivy directly from Docker Hub. 

Docker Scout: Scout can surface whether any of the three compromised digests listed above are present across your repositories, including in registry mirrors or artifact caches that may have retained copies pulled during the exposure window.

Other resources

Aqua has also published their own incident report at aquasec.com/blog.

Quelle: https://blog.docker.com/feed/

da Agency

Amazon Polly expands Generative TTS engine with 10 new voices, 2 new regions, and Bidirectional Streaming API

Today, we are excited to announce the general availability of 10 new highly expressive Amazon Polly Generative voices across 8 locales: Tiffany (American English), Brian (British English), Aria (New Zealand English), Jasmine (Singapore English),  Florian (French), Ambre (French), Lorenzo (Italian), Beatrice (Italian), Lennart (German), and Sabrina (Swiss German). 
Alongside these new voices, we have expanded the Generative engine to two new AWS regions in Europe (London) and Canada (Central). We have also introduced the Bidirectional Streaming API support for the Generative engine, allowing customers to stream text to Polly and receive synthesized audio back simultaneously. This makes it easy to feed output directly from a large language model (LLM) into speech synthesis, enabling real-time applications like chatbots and bespoke characters in games.
Amazon Polly is a fully managed service that turns text into lifelike speech. This expansion addresses the growing demand for natural-sounding, lifelike speech generation in conversational AI and content creation. Developers building LLM-based interactive systems and speech-enabled applications can take advantage of the enhanced voice quality and variety, expanded language and feature support, as well as broader AWS region availability. 
To hear how Polly voices sound, go to Amazon Polly Features. For more details on the Polly offerings and use, see the Amazon Polly documentation and pricing page.
Quelle: aws.amazon.com

da Agency

AWS HealthImaging is now available in Europe (London)

AWS HealthImaging is now available in the AWS Europe (London) Region. AWS HealthImaging is a HIPAA-eligible service that empowers healthcare providers, life sciences organizations, and their software partners to store, analyze, and share medical images at petabyte scale.
AWS HealthImaging offers fully managed infrastructure for storing medical imaging data, with both DICOMWeb APIs for easy integration with existing applications and AWS-native APIs for cloud-first implementations. With AWS HealthImaging, organizations can reduce storage costs by up to 40% compared to do-it-yourself solutions, enable faster image access for clinical workflows, and accelerate the development of AI-powered diagnostic applications while maintaining strict security controls over sensitive data.
AWS HealthImaging is generally available in the following AWS Regions: US East (N. Virginia), US West (Oregon), Asia Pacific (Sydney), Europe (Ireland), and Europe (London). To learn more, see the AWS HealthImaging Developer Guide.
Quelle: aws.amazon.com