The Security Scanner Meant to Protect Your Code Was Spreading Malware Through It

If you run Trivy in your CI/CD pipeline to scan for vulnerabilities, you may want to sit down. Between March 19 and March 21, 2026, attackers compromised the official Trivy GitHub Actions repository and used it to steal CI/CD secrets from every project that ran the scanner. Then they used those stolen credentials to publish a self replicating worm across 47 npm packages, turning one compromised security tool into an exponentially spreading supply chain infection.

The worm, dubbed CanisterWorm by researchers at Aikido Security, is the first publicly documented malware to use a blockchain smart contract as its command and control server. That means even if every infected package is removed from npm, the attackers can push new instructions to any machine that is still compromised, and nobody can take the server down.

How the Trivy Compromise Happened

The attack started with a misconfigured GitHub Actions workflow. Aqua Security's Trivy repository used a pull_request_target trigger, which runs workflow code from the base repository but in the context of the pull request. This is a known dangerous pattern because it can expose repository secrets to untrusted code.

A threat group called TeamPCP exploited this misconfiguration to extract a Personal Access Token (PAT) from the workflow environment. With that token, they force pushed malicious commits over 75 of the 76 version tags on the aquasecurity/trivy-action repository and 7 tags on aquasecurity/setup-trivy.

Every project using Trivy in its CI/CD pipeline now pulled the compromised version. The malicious code harvested environment variables, secrets, and tokens from the build environment, sending them back to the attackers. This gave TeamPCP a massive collection of npm authentication tokens, cloud credentials, and API keys from thousands of development teams.

From Stolen Tokens to Self Replicating Worm

On March 20 at 20:45 UTC, Aikido Security's monitoring system detected something unusual: dozens of npm packages from multiple organizations were simultaneously receiving unauthorized patch updates. All contained the same hidden malicious code. This was CanisterWorm deploying itself using the npm tokens stolen through the Trivy compromise.

The initial wave was manual. The attackers ran a script called deploy.js that used stolen tokens to publish malicious updates to every package they had credentials for. But the second wave was autonomous. Later versions of CanisterWorm, found in @teale.io/eslint-config versions 1.8.11 and 1.8.12, included a findNpmTokens() function that ran during the npm postinstall phase.

This function scanned the victim's machine for npm authentication tokens and used them to publish the worm to every package that developer had access to. As researchers at Mend.io described it: "This is the point where the attack goes from 'compromised account publishes malware' to 'malware compromises more accounts and publishes itself.'"

The Blockchain Command Server

CanisterWorm's most novel feature is its command and control infrastructure. Instead of connecting to a traditional server that authorities could seize or block, the worm queries an Internet Computer Protocol (ICP) canister, essentially a tamper proof smart contract running on a decentralized blockchain.

Every 50 minutes, the backdoor contacts the ICP canister with a spoofed browser user agent to fetch a URL. If the URL contains youtube.com, the worm enters dormant mode and does nothing. Otherwise, it downloads and executes whatever the URL points to. The canister controller can swap the URL at any time, pushing new payloads to every infected machine without touching the implant itself.

This architecture is resilient to traditional takedown methods. You cannot seize a blockchain node. You cannot get a court order against a smart contract. The infrastructure persists as long as the blockchain exists, which is by design forever.

The Persistence Mechanism

Once installed, CanisterWorm creates a systemd user service disguised as PostgreSQL monitoring tooling (named "pgmon"). This service is configured with Restart=always, meaning it automatically restarts the Python backdoor after a five second delay if the process is terminated. Killing the process is not enough. You need to find and disable the service file.

The malware itself appears to have been partially generated by AI. Researchers noted the code shows signs of being "vibe coded" using an AI coding tool, with no attempt at obfuscation or concealment. The attackers apparently prioritized speed of development over stealth, a trade off that makes sense when your command infrastructure is already untraceable.

What Developers Should Do Right Now

If you used Trivy in any CI/CD pipeline between March 19 and March 21, 2026, treat every secret in that environment as compromised:

• Rotate all tokens. npm tokens, cloud credentials, API keys, and any other secrets present in your CI/CD environment need to be rotated immediately.
• Audit published packages. Check whether any npm packages you maintain received unauthorized updates during this window.
• Search for pgmon. On Linux systems, check for a systemd user service named "pgmon" with systemctl --user list-units | grep pgmon.
• Pin GitHub Actions. Reference Actions by commit SHA rather than mutable tags. The tag v4 can be repointed to any commit; the SHA abc123 cannot.
• Review postinstall scripts. Before installing or updating npm packages, check for suspicious postinstall hooks that execute external scripts.

The Supply Chain Trust Problem

This attack embodies the deepest fear in software supply chain security: the tool you trust to find vulnerabilities becomes the vulnerability. Trivy is one of the most widely used open source security scanners, integrated into thousands of CI/CD pipelines precisely because teams trust it to make their software safer. That trust was weaponized.

The pattern is becoming familiar. We saw it when a single stolen npm token gave hackers full AWS admin access. We saw it when a trust wallet extension was compromised in a supply chain attack. Each time, the entry point is a component that developers install without a second thought because it comes from a trusted source.

CanisterWorm adds a new dimension: self propagation with untraceable command infrastructure. And the same threat actor has already moved on: TeamPCP used credentials stolen from the Trivy breach to backdoor LiteLLM, the AI library present in 36% of cloud environments. The next supply chain worm may not be caught in two days. It may not be caught at all.