Trivy Scanner Breach Spawns CanisterWorm Across 47 npm Packages

Aqua Security's Trivy vulnerability scanner has been weaponized in a sophisticated supply chain attack that compromised 75 GitHub Action tags and spread self-propagating malware to 47 npm packages. The attack, attributed to threat actors known as TeamPCP, uses Internet Computer blockchain infrastructure for command and control.

The breach represents the second compromise of Trivy infrastructure in March 2026, with Aqua acknowledging that "containment of the first incident was incomplete."

Attack Timeline

On March 19, TeamPCP exploited credentials obtained from an earlier breach to push malicious versions of Trivy's core components:

• trivy-action: 75 of 76 tags force-pushed to malicious versions
• setup-trivy: 7 tags compromised
• Trivy v0.69.4: Backdoored binaries published to GitHub Releases, Docker Hub, GHCR, and ECR

The attackers made imposter commits spoofing legitimate maintainers, including user "rauchg" on actions/checkout and "DmitriyLewen" on aquasecurity/trivy.

How the Compromise Works

When triggered, the malicious Trivy releases connect to a typosquatted domain (scan.aquasecurtiy[.]org—note the misspelling) to download credential-stealing payloads. The attack specifically targets CI/CD secrets that flow through Trivy during security scanning workflows.

The credential-stealing malware, self-described as "TeamPCP Cloud Stealer," performs:

1. Memory dumping of Runner.Worker processes
2. Harvesting of SSH, cloud, and Kubernetes secrets
3. AES-256 + RSA-4096 encryption of stolen data
4. Exfiltration to attacker infrastructure

As a fallback, the malware creates a repository named "tpcp-docs" in the victim's GitHub account to stash stolen credentials.

CanisterWorm: Self-Propagating npm Infection

The breach spawned a secondary infection chain dubbed CanisterWorm, which spread to 47 npm packages through stolen developer tokens:

• 28 packages in @EmilGroup scope
• 16 packages in @opengov scope
• @teale.io/eslint-config (versions 1.8.11, 1.8.12)
• @airtm/uuid-base32
• @pypestream/floating-ui-dom

CanisterWorm uses blockchain-based command and control via an Internet Computer Protocol (ICP) canister, making takedown significantly more difficult than traditional infrastructure.

Blockchain C2 Infrastructure

The ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai) supports three methods: get_latest_link, http_request, and update_link. This architecture allows attackers to modify payloads in real-time without needing to maintain traditional servers.

The implant contacts the canister every 50 minutes using a spoofed browser User-Agent and includes a dormancy trigger—when the canister returns youtube.com URLs, the malware remains inactive, complicating automated analysis.

For persistence, CanisterWorm installs a systemd user service masquerading as "pgmon" (PostgreSQL monitoring tooling) with auto-restart enabled.

Root Cause

Aqua Security confirmed that the attack stemmed from incomplete credential rotation following their March 1 incident: "We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens."

This mirrors patterns seen in the GlassWorm supply chain attack earlier this month, where attackers exploited gaps in incident response to maintain persistence.

Recommended Mitigations

Organizations using Trivy should take immediate action:

1. Pin GitHub Actions to specific commit SHAs, not mutable tags
2. Audit CI/CD logs for connections to aquasecurtiy[.]org (typosquatted domain)
3. Rotate all secrets that may have been exposed in Trivy-enabled pipelines
4. Search for systemd services named "pgmon" on developer workstations
5. Block ICP canister tdtqy-oyaaa-aaaae-af2dq-cai at the network level
6. Scan npm dependencies for the 47 affected packages

Why This Matters

Security scanning tools occupy a privileged position in development workflows—they necessarily have access to source code, build artifacts, and deployment credentials. When attackers compromise these tools, they gain access to the same sensitive resources defenders were trying to protect.

The use of blockchain infrastructure for C2 represents an evolution in supply chain attack sophistication. Unlike domain-based infrastructure that can be seized or sinkholed, ICP canisters are resistant to traditional takedown methods. Expect this technique to proliferate among advanced threat actors, including those behind recent npm supply chain campaigns.