On March 19, 2026, threat actors compromised Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions. While Aqua reports they have since removed the malicious releases, organizations using Trivy should audit their environments immediately. Update March 22, 13:15 UTC: Wiz Research continues to track TeamPCP activity following the initial Trivy compromise. The threat actor has expanded operations to the npm ecosystem via a worm (...