Trivy Supply Chain Attack: NPM Packages & CI/CD Pipelines Compromised | TeamPCP
The widely used open-source vulnerability scanner, Trivy, has been compromised in an ongoing supply chain attack, leading to the spread of credential-stealing malware through official releases and GitHub Actions. The incident, initially reported on March 20, 2026, has now expanded to affect a significant number of npm packages, with attackers leveraging a self-propagating worm dubbed CanisterWorm. This latest development underscores the growing sophistication of supply chain attacks and the potential for widespread impact on developers and organizations relying on open-source tools.
Initial Compromise and GitHub Actions Hijack
The initial breach, discovered on March 19th, involved the compromise of 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository, the official GitHub Action for running Trivy vulnerability scans. Attackers force-pushed malicious commits to these tags, effectively turning trusted version references into a distribution mechanism for an infostealer. According to Socket security researcher Philipp Burckhardt, the payload executes within GitHub Actions runners, targeting sensitive CI/CD secrets such as SSH keys, cloud provider credentials, database access information, Git configurations, Kubernetes tokens, and even cryptocurrency wallets. The Hacker News details the scope of the initial compromise.
This attack follows a previous incident in February and early March 2026, where an autonomous bot called hackerbot-claw exploited a “pull_request_target” workflow to steal a Personal Access Token (PAT) and gain control of the GitHub repository. The attackers subsequently deleted release versions and pushed malicious versions of the Aqua Trivy VS Code extension to Open VSX.
CanisterWorm and npm Package Compromise
The situation escalated with the discovery that the same attackers are now suspected of conducting follow-on attacks that have led to the compromise of 47 npm packages. The attackers are utilizing a postinstall hook to execute a loader, which then retrieves a Python backdoor from an Internet Computer Protocol (ICP) canister – a novel approach to command-and-control (C2) infrastructure. Aikido Security researcher Charlie Eriksen notes this marks the first publicly documented abuse of an ICP canister for this purpose.
The malware establishes persistence through a systemd user service, configured to automatically restart the Python backdoor even if terminated. This service is disguised as PostgreSQL tooling (“pgmon”) to evade detection. The attackers employ a standalone tool, run manually with stolen npm tokens, to maximize the spread of the malicious payload across interconnected packages. This “deploy.js” file allows for programmatic infection of packages accessible through the compromised tokens.
A subsequent iteration of CanisterWorm, detected in packages like “@teale.io/eslint-config,” exhibits self-propagation capabilities, meaning it can infect other packages without manual intervention. Eriksen explains that any developer or CI pipeline installing an infected package with an accessible npm token becomes an unwitting vector for further propagation. The affected packages currently include 28 within the @EmilGroup scope and 16 within the @opengov scope.
Attribution and Root Cause
The attacks are attributed to a cloud-focused cybercriminal operation known as TeamPCP, who have been previously linked to similar malicious activities. Ground.news reports on the attribution to TeamPCP.
A key factor enabling the attacks was the inadvertent hardcoding of authentication secrets in Trivy’s pipelines for software development and deployment. This allowed attackers to perform authenticated operations, including force-updating tags, without directly exploiting GitHub itself. Socket researchers emphasize that force-pushing tags bypasses typical commit history and notification mechanisms, making detection more difficult.
Mitigation and Response
Trivy maintainer Itay Shakury has confirmed the compromise and stated that all malicious artifacts have been removed from affected registries and channels. The latest Trivy releases now point to safe versions. Though, Shakury advises anyone suspecting they were running a compromised version to treat all pipeline secrets as compromised and rotate them immediately. Shakury’s statement on GitHub provides further details.
Security firms Socket and Wiz have reported that the malware, triggered in the compromised trivy-action tags, thoroughly scans development pipelines and developer machines for valuable secrets. Once found, the data is encrypted and exfiltrated to an attacker-controlled server. Any CI/CD pipeline using software referencing these compromised tags is at risk of executing malicious code during a Trivy scan.
What Comes Next: Enhanced Security Measures
Aqua Security, the maintainer of Trivy, has implemented immutable releases since the initial breach to prevent unauthorized tag modifications. However, the incident highlights the require for robust security practices throughout the software supply chain. This includes rigorous credential management, regular security audits, and the implementation of multi-factor authentication. The industry is likely to see increased scrutiny of CI/CD pipelines and a greater emphasis on securing open-source dependencies. Further investigation is needed to fully understand the extent of the compromise and identify all affected systems. Developers and organizations are encouraged to stay informed about the latest security updates and follow best practices for securing their development environments.