Trivy Scanner Compromised Again, Spawns CanisterWorm Across npm (2026)
Trivy vulnerability scanner hijacked for the second time in March 2026. Attackers stole CI/CD secrets from 10K+ pipelines and launched CanisterWorm — a self-spreading npm worm.
Aqua Security's popular open-source vulnerability scanner Trivy was compromised for the second time in a month on , with attackers hijacking 76 of 77 version tags in the trivy-action GitHub Action and publishing a malicious v0.69.4 release across Docker Hub, ECR Public, and package repositories. The attack subsequently triggered a self-propagating npm worm dubbed CanisterWorm that infected over 50 packages — marking the first known use of blockchain-based command-and-control infrastructure in a supply chain attack.
What Happened
The attack, attributed to a threat actor group called TeamPCP, began when attackers exploited credentials that had been incompletely rotated after an initial breach disclosed on March 1, 2026. At approximately 17:43 UTC on March 19, the attacker force-pushed 76 of 77 version tags in the aquasecurity/trivy-action repository to malicious commits, and replaced all 7 tags in setup-trivy. Between 18:22 and 21:42 UTC, a malicious Trivy v0.69.4 was published to Docker Hub, Amazon ECR Public, and deb/rpm package repositories.
The malicious payload was designed to steal SSH keys, cloud credentials for AWS, GCP, and Azure, Kubernetes tokens, Docker configurations, Git credentials, npm tokens, and cryptocurrency wallets. It also read GitHub Actions Runner worker memory to extract secrets from CI/CD pipelines. Stolen data was exfiltrated to a typosquatted domain and a command-and-control server hosted in Amsterdam.
Key Details
- 76 of 77 version tags hijacked in the trivy-action repository, with the compromise window lasting approximately 12 hours (17:43 UTC March 19 to 05:40 UTC March 20).
- 45 open-source repositories confirmed to have executed compromised versions during the exposure window, out of 767 analyzed.
- An estimated 10,000+ CI/CD pipelines affected based on public disclosures, with secrets potentially exfiltrated from every affected run.
- Docker Hub images v0.69.5 and v0.69.6 were also found compromised on March 22.
- CanisterWorm infected 50+ npm packages using stolen credentials, including packages under the @EmilGroup, @opengov, @airtm, and @pypestream scopes.
What Developers and Users Are Saying
The security community has responded with alarm, particularly because Trivy is a security tool — software developers trust specifically to protect their infrastructure. The dominant reaction on Hacker News and Reddit has been concern about the incomplete credential rotation after the first March 1 breach, which enabled this second compromise just 18 days later.
Security researchers at StepSecurity, CrowdStrike, and Wiz published detailed technical analyses. StepSecurity's Harden-Runner tool was credited with detecting the C2 connections across multiple affected projects. The CanisterWorm component drew particular attention from Endor Labs and Mend, who flagged it as the first documented abuse of Internet Computer Protocol canisters as a decentralized dead-drop resolver — making takedown significantly harder than traditional infrastructure.
What This Means for Developers
Any team that ran Trivy, trivy-action, or setup-trivy in CI/CD between March 19-22 should treat all secrets used in those pipelines as compromised and rotate them immediately. This includes cloud credentials, Kubernetes tokens, Docker registry credentials, npm publish tokens, SSH keys, and Git credentials. Check CI logs for outbound DNS queries to the typosquatted domain or anomalous network connections.
For npm maintainers, audit recent publish activity and verify no unauthorized versions were released. Pin GitHub Actions to specific commit SHAs rather than mutable version tags. Consider deploying runtime monitoring in CI/CD pipelines to detect anomalous network activity.
What's Next
Aqua Security's investigation remains ongoing with a published security advisory (GHSA-69fq-xp46-6x23) detailing indicators of compromise. GitHub is working with affected repository owners. The npm ecosystem is still being scanned for additional CanisterWorm infections, with security firms warning that the self-propagating worm may surface new compromised packages in the coming days.
Sources
Stay up to date with Doolpa
Subscribe to Newsletter →