Self-Spreading CanisterWorm Hits 47 npm Packages After Trivy Supply Chain Compromise

A Supply Chain Attack on a Security Tool Spawns an Unprecedented Self-Replicating npm Worm

The cybersecurity community is grappling with one of the most sophisticated software supply chain attacks in recent memory, as a compromise of the popular open-source security scanner Trivy has triggered a self-spreading malware campaign dubbed CanisterWorm that has infected at least 47 npm packages. The attack represents a disturbing evolution in supply chain tactics: the worm uses compromised npm credentials to autonomously spread itself to every package a stolen token provides access to, dramatically amplifying the blast radius beyond the initial compromise.

The incident began on March 19, 2026, when Trivy maintainers at Aqua Security detected that a threat actor had used a compromised credential to inject malicious code into the project's distribution channels. Trivy, which is widely used by development teams to scan container images, filesystems, and code repositories for security vulnerabilities, represented a high-value target — compromising a security tool that developers trust implicitly is perhaps the most effective form of supply chain attack possible.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

According to analysis by Aikido Security researcher Charlie Eriksen, the follow-on attack introduced a novel technical approach: the malicious payload uses Internet Computer Protocol (ICP) canisters as a dead drop for command-and-control server addresses. This marks the first publicly documented abuse of ICP canisters for C2 infrastructure, adding a layer of decentralisation and resilience that makes the attack infrastructure significantly harder to take down than traditional server-based C2 systems.

Background and Context

Software supply chain attacks have emerged as one of the most dangerous threat vectors in modern cybersecurity. The 2020 SolarWinds attack, which compromised updates from a widely used IT management platform to infiltrate government agencies and major corporations, demonstrated the devastating potential of attacking trusted software distribution channels. Since then, the frequency and sophistication of supply chain attacks have increased steadily, with package managers like npm, PyPI, and RubyGems becoming frequent targets.

Trivy's compromise is particularly alarming because of the tool's role in the security ecosystem. Developed by Aqua Security, Trivy is one of the most popular open-source vulnerability scanners, integrated into CI/CD pipelines across thousands of organisations to detect security issues before code reaches production. When a security scanning tool itself becomes a vector for malware, it undermines the very trust model that the entire DevSecOps practice is built on. Organisations that maintain secure development environments, including properly licensed systems with a genuine Windows 11 key, still depend on their toolchain integrity for effective security.

The npm ecosystem, which hosts over two million JavaScript packages and serves billions of downloads weekly, has been a recurring target for supply chain attacks. The ecosystem's design — where packages can declare dependencies on other packages, creating deep dependency trees — means that compromising a single popular package can affect thousands of downstream projects. The CanisterWorm exploit leverages this architecture by using stolen tokens to spread across packages, effectively weaponising the interconnectedness that makes npm so powerful.

Why This Matters

The CanisterWorm attack introduces several concerning innovations that raise the bar for software supply chain security. The self-spreading mechanism — where the malware autonomously propagates to every package accessible via a compromised npm token — creates an exponential amplification effect that previous supply chain attacks lacked. Traditional attacks require the attacker to manually compromise each target; CanisterWorm automates this process, allowing a single compromised credential to cascade across dozens of packages within minutes.

The use of ICP canisters for command-and-control infrastructure is equally concerning. Traditional C2 servers have known IP addresses or domain names that can be blocked, taken down, or monitored by security teams. ICP canisters run on a decentralised blockchain network, making them inherently resistant to takedown requests and difficult to monitor through conventional network security tools. This technique, if widely adopted, could fundamentally change how security teams approach C2 detection and disruption.

Perhaps most troubling is the report that the worm was "vibe-coded" — apparently created using AI coding tools. If accurate, this suggests that AI is lowering the barrier for creating sophisticated malware, enabling less technically skilled attackers to produce code that would previously have required significant expertise. For businesses relying on enterprise productivity software and complex development environments, this evolution demands heightened vigilance in supply chain security practices.

Industry Impact

The immediate impact falls on the thousands of development teams that use Trivy in their security pipelines. Trivy maintainers have confirmed that all malicious artifacts have been removed and that current releases point to safe versions, but organisations must verify their installations and audit any builds processed during the window of compromise. The broader npm packages affected by CanisterWorm's spread require similar attention.

For the open-source security community, this incident reinforces the need for stronger credential management, package signing, and provenance verification across package managers. npm has been working on improved security features, including package provenance attestations that cryptographically link published packages to their source code and build systems. However, adoption of these features remains incomplete, and the CanisterWorm attack demonstrates the consequences of this gap.

The incident also highlights the tension between open-source software's collaborative nature and the security requirements of enterprise deployments. Open-source projects often rely on individual maintainers who may not have the resources or expertise to implement enterprise-grade security practices for credential management and access control. This structural vulnerability makes the entire ecosystem dependent on the security practices of its weakest links.

Expert Perspective

Security researchers emphasise that the CanisterWorm attack represents an evolution rather than a revolution in supply chain tactics, but an important one. The combination of automated propagation, decentralised C2 infrastructure, and the targeting of a security tool itself creates a template that other attackers will likely study and replicate. The use of systemd persistence mechanisms disguised as legitimate services (masquerading as PostgreSQL monitoring) demonstrates the attention to stealth that characterises sophisticated threat actors.

The potential AI-assisted development of the worm is drawing particular attention. If confirmed, it suggests that the democratisation of coding through AI tools extends to malicious applications, potentially increasing the volume and variety of sophisticated malware. Security teams may need to prepare for an environment where novel attack techniques appear more frequently as the barrier to creating them drops.

What This Means for Businesses

Development teams should immediately audit their Trivy installations and verify they are running the latest clean version. Any builds processed during the compromise window (March 19-22) should be reviewed for potential contamination. Organisations using any of the 47 affected npm packages should check their dependency trees and update to verified clean versions.

More broadly, businesses should implement or strengthen supply chain security practices including package pinning (locking dependencies to specific verified versions), Software Bill of Materials (SBOM) generation, and automated vulnerability scanning of dependency trees. Using properly licensed development tools and operating systems — including an affordable Microsoft Office licence for documentation and collaboration — ensures that the entire development environment maintains security update support.

Key Takeaways

• The Trivy security scanner was compromised through a stolen credential, leading to malicious code injection
• The follow-on CanisterWorm attack self-propagated across 47 npm packages using stolen tokens
• The worm uses ICP canisters for decentralised command-and-control — a first in documented attacks
• The malware was reportedly AI-assisted in its development, lowering the barrier for sophisticated attacks
• Trivy maintainers have released clean versions, but organisations must audit their installations
• The incident highlights critical gaps in npm ecosystem security and credential management

Looking Ahead

The CanisterWorm attack will likely accelerate efforts to improve supply chain security across the open-source ecosystem. Expect increased focus on mandatory package signing, provenance verification, and credential hygiene for package maintainers. The use of decentralised infrastructure for C2 operations may also prompt security tool vendors to develop new detection capabilities for blockchain-based command channels. For development teams, the message is clear: supply chain security is no longer optional, and trusting your tools requires verifying them continuously.