Trivy Supply-Chain Compromise Spawns CanisterWorm, the First npm Worm to Use Blockchain for Command and Control
Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.
Overview
A threat actor group calling itself TeamPCP compromised the open-source Trivy vulnerability scanner on March 19, hijacking 75 of 76 version tags in the widely used aquasecurity/trivy-action GitHub Action and publishing a malicious Trivy binary designated v0.69.4, according to The Hacker News and Aqua Security’s own advisory. Within 24 hours, the stolen credentials fueled a second-stage attack: a self-propagating npm worm dubbed CanisterWorm that has infected at least 47 packages and introduced the first documented use of the Internet Computer Protocol blockchain as a command-and-control dead drop, as The Hacker News reported.
What We Know
The compromise was the second breach of the Trivy ecosystem in March. An initial misconfiguration in Trivy’s GitHub Actions environment in late February allowed attackers to extract a privileged access token, according to CSO Online. The Trivy team disclosed the first incident and rotated credentials on March 1, but security firms later determined the rotation was incomplete, leaving residual access that TeamPCP exploited 18 days later.
On March 19, the attackers used the surviving credentials to force-push 75 of 76 version tags in aquasecurity/trivy-action and all seven tags in aquasecurity/setup-trivy to point at malicious commits, as BleepingComputer reported. Because GitHub Actions workflows typically reference actions by mutable version tags rather than immutable commit SHAs, any pipeline that ran a Trivy scan during the roughly 12-hour exposure window automatically pulled the attacker’s code without any change to the workflow file itself.
The malicious payload, which TeamPCP labeled “TeamPCP Cloud stealer,” dumped GitHub Actions Runner worker process memory to extract secrets, then searched the runner filesystem for SSH keys, cloud provider credentials for AWS, GCP, and Azure, Kubernetes service account tokens, Docker registry configurations, and cryptocurrency wallet files, according to The Hacker News. Harvested data was encrypted with AES-256 and RSA-4096 before exfiltration to a typosquatted domain designed to mimic Aqua Security’s own infrastructure.
Simultaneously, the compromised aqua-bot service account triggered Trivy’s release automation to publish a malicious binary as v0.69.4, which was distributed through GitHub Releases, Docker Hub, GHCR, and Amazon ECR before the team contained the incident roughly three hours later, according to BleepingComputer.
CanisterWorm Escalation
On March 20 at 20:45 UTC, security researchers detected a second wave: npm publish tokens stolen during the trivy-action compromise were being used to inject malicious code into legitimate packages. The resulting worm, which researchers named CanisterWorm, spreads by scanning infected machines for stored npm authentication tokens in .npmrc files, environment variables, and CI/CD configurations, then uses those tokens to publish poisoned versions of every package the victim maintains, according to The Hacker News.
CanisterWorm’s most notable technical innovation is its use of the Internet Computer Protocol, a decentralized blockchain network, as its command-and-control infrastructure. The worm queries an ICP canister, a tamperproof smart contract, that exposes three methods: one to retrieve the current payload URL, one to serve that URL to the backdoor, and one to let the attacker rotate to a new payload without touching infected packages, as The Hacker News detailed. Because ICP has no single host or domain registrar, the C2 channel cannot be taken down through conventional abuse reports or legal takedowns, a first for any publicly documented npm worm.
Once installed, CanisterWorm plants a persistent backdoor using systemd that survives reboots. Security firm Socket reported the attack has expanded to at least 141 malicious package artifacts across more than 66 unique packages, as The Hacker News noted.
A Pattern of GitHub Actions Exploitation
The Trivy compromise follows a pattern that began with the tj-actions/changed-files and reviewdog/action-setup attacks in March 2025, which exposed secrets from more than 23,000 repositories by exploiting the same mutable tag mechanism. Despite that incident prompting widespread guidance to pin actions to commit SHAs, the Trivy attack demonstrated that adoption of SHA pinning across the ecosystem remains low. An analysis of 767 repositories with more than 100 stars found that 45 had at least one workflow run during the Trivy compromise window that used a tag reference rather than a pinned SHA, according to Aqua Security’s advisory.
Over 10,000 GitHub workflow files reference aquasecurity/trivy-action, giving the compromise a potentially massive blast radius for credential theft, as CSO Online noted.
What Comes Next
Aqua Security has removed all malicious releases from GitHub Releases, Docker Hub, GHCR, and ECR and published indicators of compromise for defenders. The company is urging all users to rotate every secret that was accessible to affected workflows, including cloud credentials, SSH keys, API tokens, database passwords, and Docker registry tokens, according to Aqua Security’s advisory.
The npm security team is working to identify and unpublish CanisterWorm-infected packages, though the worm’s self-propagating design and blockchain-based C2 channel complicate containment. Security researchers recommend that organizations audit their GitHub Actions workflows for any trivy-action runs after approximately 19:00 UTC on March 19, pin all GitHub Actions to full commit SHAs rather than version tags, and check whether any npm tokens accessible in their CI/CD pipelines may have been exfiltrated, as BleepingComputer reported.