Full Report
The threat actors behind the supply chain attack targeting the popular Trivy scanner are suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages with a previously undocumented self-propagating worm dubbed CanisterWorm. The name is a reference to the fact that the malware uses an ICP canister, which refers to tamperproof smart contracts on
Analysis Summary
# Incident Report: Supply Chain Compromise and "CanisterWorm" Distribution
## Executive Summary
A sophisticated supply chain attack targeted the widely used Trivy security scanner, followed by the deployment of a self-propagating worm named "CanisterWorm" across 47 npm packages. The attack utilized a novel Command and Control (C2) mechanism involving decentralized ICP (Internet Computer Protocol) canisters as dead drop resolvers. The incident, attributed to the threat actor "TeamPCP," resulted in the compromise of multiple organizational scopes and the potential for persistent backdoor access via malicious npm updates.
## Incident Details
- **Discovery Date:** March 21, 2026 (Reported)
- **Incident Date:** March 20–21, 2026
- **Affected Organizations:** @EmilGroup, @opengov, @teale.io, @airtm, @pypestream
- **Sector:** Software Development / Technology
- **Geography:** Global (Supply Chain Impact)
## Timeline of Events
### Initial Access
- **Date/Time:** March 20, 2026
- **Vector:** Compromised Credentials
- **Details:** Threat actors used stolen credentials to publish malicious versions (0.69.4) of `trivy`, `trivy-action`, and `setup-trivy` containing credential stealers.
### Lateral Movement
- **Mechanism:** Self-propagating Worm ("CanisterWorm")
- **Details:** Attackers used a standalone tool (`deploy.js`) and stolen npm tokens to programmatically inject malware into every package within the reached scopes, effectively "worming" through the npm registry.
### Data Exfiltration/Impact
- **Impact:** Compromise of 47+ npm packages.
- **Backdoor:** Deployment of a Python-based backdoor via `postinstall` hooks.
- **Theft:** Initial stage was designed to steal developer credentials and npm tokens to further the spread.
### Detection & Response
- **Discovery:** Identified by researchers at Aikido Security and Wiz.
- **Details:** Analysts observed unusual `postinstall` scripts and a novel C2 mechanism pointing to an ICP canister dashboard.
## Attack Methodology
- **Initial Access:** Valid accounts (compromised npm credentials).
- **Persistence:** Systemd user service masquerading as "pgmon" (PostgreSQL monitoring) with a `Restart=always` directive.
- **Defense Evasion:** Use of legitimate YouTube links as a "dormant state" switch; masquerading as database tooling; decentralized C2 infrastructure (ICP canisters) to resist takedowns.
- **Credential Access:** Credential-stealing code embedded in trojanized Trivy binaries and npm loaders.
- **Discovery:** Automated scanning of developer environments for npm tokens.
- **Lateral Movement:** Automated publishing of malicious updates to packages owned by compromised accounts via `deploy.js`.
- **Collection:** Automated collection of system environment variables and tokens.
- **Exfiltration:** HTTPS requests to attacker-controlled loaders and decentralized canisters.
- **Impact:** Supply chain contamination; unauthorized remote code execution (RCE) capability on developer and CI/CD machines.
## Impact Assessment
- **Financial:** High (Cleanup costs for 47+ packages and potential downstream consumer breaches).
- **Data Breach:** Compromise of developer credentials and CI/CD secrets.
- **Operational:** Disruption of CI/CD pipelines relying on Trivy or affected npm scopes.
- **Reputational:** Significant impact on the trust of the Trivy project and affected npm organizations.
## Indicators of Compromise
- **Network Indicators:**
- `dashboard.internetcomputer[.]org/canister/tdtqy-oyaaa-aaaae-af2dq-cai` (C2 Resolver)
- `youtube[.]com` (Used as a dormant state indicator)
- **File Indicators:**
- `sysmon.py` (Python dropper)
- `deploy.js` (Worm propagation script)
- `pgmon` (Malicious systemd service name)
- **Behavioral Indicators:**
- Unexpected `postinstall` execution in npm packages.
- Outbound traffic to ICP (Internet Computer Protocol) canister endpoints every 50 minutes.
## Response Actions
- **Containment:** Removal of malicious versions of Trivy (notably v0.69.4) from GitHub and registry mirrors.
- **Eradication:** Identification and removal of 47 infected npm packages across affected scopes (@EmilGroup, @opengov, etc.).
- **Recovery:** Revocation of compromised npm tokens and credentials; advising users to roll back to known-good versions.
## Lessons Learned
- **Decentralized C2:** The use of blockchain-based "canisters" makes traditional IP/domain-based takedowns nearly impossible.
- **AI-Assisted Malware:** The assessment that the worm was "vibe-coded" suggests that AI tools are lowering the barrier for creating self-propagating supply chain malware.
- **Postinstall Risks:** Relying on `postinstall` hooks remains a primary vector for npm-based attacks.
## Recommendations
- **Enforce MFA:** Mandatory Multi-Factor Authentication for all npm maintainers and GitHub contributors.
- **Script Restrictions:** Use `--ignore-scripts` during `npm install` in CI/CD environments where possible.
- **Integrity Checking:** Implement strict version pinning and hash verification (lockfiles) for all security tooling like Trivy.
- **Monitor Systemd:** Audit new systemd user services in developer and build environments for unauthorized entries like `pgmon`.