A Hacked Security Scanner Spawned the First Worm That Uses Blockchain to Hide

Security tools are supposed to find vulnerabilities. They are not supposed to become one. On March 19, 2026, attackers compromised Trivy, one of the most widely used open source vulnerability scanners, and turned it into a distribution mechanism for credential stealing malware. Within 48 hours, the attack escalated into something researchers had not seen before: a self propagating worm that uses blockchain smart contracts to hide its command infrastructure.

The worm, dubbed CanisterWorm, has already infected 47 npm packages and represents the first documented malware to use the Internet Computer Protocol blockchain as a dead drop resolver. Traditional takedowns do not work because you cannot send a cease and desist letter to a smart contract.

How the Trivy Compromise Worked

Trivy is maintained by Aqua Security and used by thousands of development teams to scan containers, filesystems, and code repositories for known vulnerabilities. Many teams run it automatically through GitHub Actions, a CI/CD automation system that executes security checks every time code is pushed.

The attackers, believed to be a cloud focused cybercriminal group called TeamPCP, force pushed 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. This replaced trusted version references with malicious code. Any CI/CD pipeline that pinned to a version tag instead of a specific commit hash silently pulled the compromised version on its next run.

The injected payload was an infostealer designed to harvest CI/CD secrets: API keys, cloud credentials, npm tokens, and service account passwords. These are the credentials that control production infrastructure.

CanisterWorm: Blockchain as a Hiding Spot

The Trivy compromise was the initial breach. What followed was unprecedented. Using stolen npm tokens harvested from infected CI/CD pipelines, the attackers published malicious code to 47 npm packages across multiple scopes including @EmilGroup (28 packages), @opengov (16 packages), and several standalone packages.

Each infected package contained an index.js file that ran during npm's postinstall phase. This code did two things: it stole the developer's npm authentication tokens, and it spawned a background process that contacted an ICP canister to retrieve its command and control server address.

An ICP canister is a tamperproof smart contract running on the Internet Computer blockchain. Unlike a traditional server that law enforcement can seize or a domain name that a registrar can suspend, a blockchain canister cannot be unilaterally taken down. The attacker can update the canister to point at different command servers at will, and when dormant, it returns a YouTube URL as a decoy so automated scanners see nothing suspicious.

Self Propagation: The Critical Escalation

Early versions of CanisterWorm required the attackers to manually publish infected packages using stolen credentials. But researchers found a subsequent iteration in @teale.io/eslint-config versions 1.8.11 and 1.8.12 that propagates on its own.

The self propagating variant includes a findNpmTokens() function that searches the developer's environment for every npm authentication token it can find. It then uses those tokens to publish itself into other packages the developer maintains. As security researchers noted, this is the point where the attack goes from "compromised account publishes malware" to "malware compromises more accounts and publishes itself."

The worm also installs a persistent systemd service named pgmon to survive reboots and maintain access to the infected machine.

Why This Attack Matters

Supply chain attacks are not new. The SolarWinds breach in 2020 and the npm supply chain attacks targeting AWS credentials demonstrated how compromising a single trusted tool can cascade across thousands of organizations. But CanisterWorm introduces two innovations that make it harder to stop.

First, using blockchain for command and control infrastructure means there is no single point of failure for defenders to target. Security teams cannot submit a takedown request to a blockchain. They cannot seize a smart contract. The infrastructure is distributed, immutable, and available to anyone with an internet connection.

Second, self propagation through stolen npm tokens means the worm spreads without human intervention. Each infected developer machine becomes a new launch point. The attack surface grows exponentially with every installation.

What Developers Should Do Now

If your CI/CD pipeline uses Trivy through GitHub Actions, check whether your workflow pins to a version tag or a commit hash. Version tags can be overwritten; commit hashes cannot. Switch to commit hash pinning immediately.

• Audit npm tokens: Revoke and rotate all npm authentication tokens on machines that ran affected Trivy versions
• Check for pgmon: Search for a systemd service named pgmon on developer machines and CI runners
• Review package publications: Check your npm packages for unexpected version bumps you did not authorize
• Pin dependencies by hash: Use lockfiles and integrity checks to verify packages have not been tampered with
• Monitor GitHub Actions: Enable audit logging and alert on force pushes to action repositories you depend on

The lesson from CanisterWorm is that the tools you trust to keep your code safe can become the vector that compromises it. Verify everything, even your security scanner.