24 Hours After Trivy Breach, Spread Across npm Ecosystem

Less than 24 hours after the breach of open-source security scanner Trivy, the same threat actor group launched a self-propagating worm attack targeting the entire npm package ecosystem. Discovered by Aikido Security researchers on March 20, 2026, this malware infected at least 47 npm packages and marks the first recorded case of using Internet Computer Protocol (ICP) blockchain canisters as command-and-control (C2) infrastructure.

Dubbed CanisterWorm, this worm operates by stealing npm tokens from infected systems, then automatically redeploying malicious code to all packages the victim has access to. Traditional server-based C2 blocking techniques cannot prevent blockchain-based payload replacement, presenting a new challenge to the security community.

TeamPCP Follows Trivy Breach with Chain Attack

This CanisterWorm attack is assessed as a direct follow-up to the Trivy release pipeline breach that occurred on March 19. According to a detailed report from Wiz, the threat actor group known as TeamPCP injected credential-stealing malware into the official binaries and GitHub Actions of Aqua Security's vulnerability scanner Trivy.

Trivy is an open-source security tool that scans container images, file systems, Git repositories, and more, widely used by developers worldwide in CI/CD pipelines. The supply chain compromise of such a trusted tool raises concerns about potential widespread secondary damage.

Attack Mechanism: From postinstall to Self-Propagation

According to technical analysis published by Aikido Security, CanisterWorm operates in the following stages:

Stage 1: Initial Infiltration

• Auto-executes during npm install via postinstall hook
• Installs Base64-encoded systemd backdoor payload
• Operates using only Python standard library, requiring no additional installations

Stage 2: Credential Theft

• Collects npm tokens from infected systems
• Utilizes backdoor similar to sysmon.py used in Trivy attack
• Currently, C2 returns a Rickroll YouTube video, but can switch to actual malicious payload at any time

Stage 3: Self-Propagation (after version 1.8.11-1.8.12 upgrade)

• Initial versions required attackers to manually execute deploy.js
• Fully automated starting with @teale.io/eslint-config versions 1.8.11 and 1.8.12 (March 20, 21:16-21:21 UTC)
• Automatically deploys malicious code to all packages accessible with stolen tokens
• Simple structure written in "vibecoded" style without obfuscation attempts

Blockchain C2: A New Defensive Challenge

The most notable technical innovation in this attack is using ICP blockchain's tamper-proof smart contracts, canisters, as C2 dead-drops. Researchers assess this as the first case observed in an npm attack campaign.

Traditional C2 servers could be neutralized through domain blocking, IP blacklisting, DNS sinkholing, and other methods. However, blockchain-based C2 cannot be blocked at a single point due to the distributed ledger's nature, and attackers can update payloads stored in canisters at any time, making defense much more difficult.

Infected Package List (Partial)

Major infected packages confirmed to date:

• @emilgroupwave (initially discovered)
• @teale.io/eslint-config (versions 1.8.11, 1.8.12 - self-propagation upgrade)
• 45+ additional packages (full list available in Aikido Security report)

Developer Security Community Response

This incident once again demonstrates the vulnerability of open-source supply chain security. The npm registry hosts millions of packages, and a single compromised package can affect thousands of downstream projects.

Experts recommend the following immediate responses:

• Review npm packages installed within the last 48 hours
• Immediately rotate npm tokens and audit permissions
• Verify package integrity before executing postinstall hooks
• Trivy users must re-download official binaries and verify integrity

[AI Analysis] Evolution and Outlook of Supply Chain Attacks

CanisterWorm demonstrates two important evolutions in supply chain attacks.

First, the irony of trusted security tools themselves becoming attack vectors. Trivy is a tool designed to find vulnerabilities, yet its compromise exposed numerous organizations' CI/CD pipelines to risk. This underscores the importance of supply chain verification for security tools themselves.

Second, the emergence of blockchain-based C2 infrastructure techniques presents a new challenge to defenders. Blockchain's distributed and immutable characteristics were originally intended to enhance security, but attackers have leveraged them inversely to build unblockable C2. Similar techniques are likely to be attempted on other blockchain platforms (Ethereum, Solana, etc.) in the future.

The full automation of self-propagating worms (post-version 1.8.11) means attackers can maximize damage scale with minimal intervention after initial infiltration. This demonstrates that the higher the interdependency of the npm ecosystem, the more exponentially the worm's spread rate can increase.

The developer community must strengthen multi-layered defense systems including dependency tree analysis, automated SBOM (Software Bill of Materials) generation, and pre-validation of packages in sandbox environments. Additionally, central repositories like npm should consider introducing additional verification steps for high-risk features such as postinstall scripts.