Trivy Breach Triggers Self-Spreading Worm Across npm Packages

Trivy compromise escalates into a worm campaign

Less than 24 hours after attackers compromised Aqua Security’s widely used Trivy vulnerability scanner, the same group launched a follow-on operation that infected 47 npm packages with a self-spreading worm. The speed of that escalation sent shockwaves through the developer security community.

Researchers at Aikido Security first detected the malware on March 20, 2026, and named it CanisterWorm. The campaign stands out as the first publicly documented case of Internet Computer Protocol canisters being used as a command-and-control dead-drop resolver. Because this infrastructure is decentralized, there is no single server to shut down. That also gives the attacker the ability to rotate second-stage payloads without changing the implant already running on infected systems.

How the Trivy breach led to malware delivery

Release pipeline compromise and malicious versioning

The attack traces back to March 19, when a group tracked as TeamPCP breached Trivy’s release pipeline. The intrusion used credentials believed to have remained active after an incomplete rotation following an earlier February incident.

The attackers published a malicious Trivy v0.69.4 release and force-pushed 75 of 76 version tags in the official trivy-action GitHub Action. That turned trusted CI/CD references into malware delivery channels.

Stolen secrets and official response

CrowdStrike confirmed that the payload exfiltrated CI/CD secrets, cloud provider keys, and Kubernetes tokens to a typosquatted domain designed to resemble Aqua Security.

Aqua Security acknowledged the compromise in a GitHub discussion, stating that its containment of the first incident was incomplete. The company then moved to delete the malicious release and publish fixed action versions.

How CanisterWorm spreads through npm packages

Three-stage malware architecture

According to Aikido’s technical analysis, the attack uses a three-stage design. A Node.js postinstall loader drops a persistent Python backdoor disguised as PostgreSQL tooling. That backdoor then polls an ICP canister every 50 minutes for payload URLs.

The backdoor waits five minutes before its first beacon, a delay intended to evade sandbox environments. It also installs itself as a user-level systemd service, which allows it to persist without requiring root access.

Autonomous worm-like propagation

What makes this campaign especially dangerous is its autonomous spreading behavior. After the backdoor is installed, the malware harvests npm authentication tokens from the developer’s environment by scanning .npmrc files and environment variables.

It then uses those tokens to enumerate every package the compromised account can publish, bump patch versions, and republish the malicious payload using default install tags. Socket’s independent investigation confirmed this worm-like propagation model and found that affected packages showed abrupt patch bumps, stripped functionality, and byte-identical malware components.

Why blockchain-based command and control changes the threat

CanisterWorm’s use of Internet Computer Protocol canisters for command and control marks a troubling shift. Traditional takedown methods are far less effective against decentralized infrastructure because there is no single server to remove.

That design also gives the attacker flexibility. The implant can remain in place on infected machines while second-stage payload locations are changed independently through the canister-based dead-drop mechanism.

At the time of reporting, the dead-drop URL stored in the ICP canister pointed to a YouTube video, effectively leaving the malware in a dormant state. But researchers warned that the attacker could switch it to a live payload at any time.

Growing npm supply chain risk in 2026

The campaign emerged during an intensifying wave of npm supply chain attacks in 2026. One of the earlier operations disclosed in February, SANDWORM_MODE, targeted developers through 19 typosquatting packages and included credential-harvesting and AI coding assistant exploitation capabilities.

Against that backdrop, CanisterWorm shows how quickly a compromise can move from a trusted developer tool into a broader ecosystem threat. And its use of decentralized command-and-control infrastructure adds a layer that existing response models struggle to disrupt.