5 min read Supply Chain Attack npm Malware TeamPCP CanisterWorm Cybersecurity

The CanisterWorm Attack: How a Compromised Scanner Unleashed a Blockchain-Backed npm Worm

TeamPCP compromised Aqua Security's Trivy scanner to harvest credentials, launching the self-spreading CanisterWorm npm attack with an untakedownable blockchain C2.

Between March 17 and March 24, 2026, the software supply chain was hit by a massive, cascading attack orchestrated by the threat actor group known as TeamPCP. What began as a compromise of a widely trusted security tool rapidly escalated into a self-spreading npm worm known as CanisterWorm.

An abstract 3D visualization showing a glowing cyan digital worm infiltrating a network of blue software supply chain pipelines, set against a dark background with faint blockchain node geometry.

Phase 1: The Trivy Scanner Compromise

The campaign officially kicked off on March 19, when TeamPCP successfully compromised Aqua Security’s Trivy vulnerability scanner. The attackers exploited a GitHub Actions pull_request_target misconfiguration (tracked as CVE-2026-33634, carrying a critical CVSS score of 9.4). This flaw allowed the threat actors to steal a highly privileged Personal Access Token (PAT).

Armed with this PAT, TeamPCP force-pushed malicious code to 75 of the 76 version tags for the aquasecurity/trivy-action repository. This effectively transformed a trusted security scanner into a massive credential harvester. Over 10,000 CI/CD pipelines inadvertently executed the poisoned action, allowing the attackers to siphon SSH keys, cloud provider credentials, and npm authentication tokens.

As noted by Phoenix Security:

"TeamPCP turned Aqua Security’s own scanner into a credential stealer, force-pushed 76 version tags, and is still inside the organisation — three compromises in under a month, and counting."

A diagram illustrating a four-stage security breach: 1. Compromised Trivy GitHub Action environment, 2. Extraction of npm registry tokens, 3. Malicious code injection into the npm registry, and 4. Deployment of the CanisterWorm malware. Attack Flow: From Trivy CI/CD compromise to the distribution of the CanisterWorm npm infection.

Phase 2: Unleashing CanisterWorm

On March 20, 2026, TeamPCP weaponized the stolen npm tokens to launch the second phase of their campaign: CanisterWorm. This self-spreading npm worm quickly infected at least 135 packages across several high-profile scopes, including @EmilGroup, @opengov, and @airtm.

Kodem Security highlighted the underlying architectural weakness that allowed the worm to spread so effectively:

"The core vulnerability was a flaw in the trust model. Malicious package versions, published through a compromised, trusted account, were automatically integrated into downstream environments during standard installation and CI builds due to their wide adoption."

CanisterWorm relies on a malicious postinstall hook. When an infected package is installed, the hook immediately begins harvesting local credentials. While the credential theft components are OS-agnostic—affecting macOS, Windows, and Linux environments—the worm's ultimate payload is highly targeted.

Phase 3: The Unkillable Blockchain C2

The most sophisticated aspect of CanisterWorm is its persistence mechanism and command-and-control (C2) infrastructure. The worm deploys a persistent Python-based backdoor specifically designed for Linux systems, establishing persistence via systemd user services.

To evade traditional incident response and infrastructure takedowns, TeamPCP hosted their C2 on the Internet Computer Protocol (ICP) blockchain.

Mend.io provided critical insight into this evasion tactic:

"CanisterWorm is explicitly designed to target Linux systems... it connects to a command-and-control server built on the Internet Computer Protocol (ICP), a decentralized blockchain network. Because ICP has no single host or provider, the C2 infrastructure cannot be taken down through a conventional takedown request."

A technical diagram showing several compromised Linux terminal windows highlighted in red, connected via dotted red lines to a central, glowing blue blockchain network representation. Data packets are shown moving between the machines and the decentralized ledger. Blockchain-based C2 infrastructure uses decentralized ledgers to distribute commands, making the network highly resistant to traditional shutdown methods.

Immediate Remediation Steps

As the fallout from the TeamPCP campaign continues to unfold, organizations must take immediate action:

  1. Rotate All Credentials: Any secrets, SSH keys, cloud credentials, or npm tokens exposed to CI/CD pipelines utilizing aquasecurity/trivy-action between March 19 and March 24 must be considered compromised and rotated immediately.
  2. Audit npm Dependencies: Scan your environments for any packages under the @EmilGroup, @opengov, or @airtm scopes, as well as any unexpected postinstall executions.
  3. Hunt for Persistence: On Linux workstations and servers, check systemd user services for unauthorized Python scripts establishing outbound connections to ICP network gateways.

The CanisterWorm attack is a stark reminder that in the modern software supply chain, a compromise of a trusted security tool can rapidly cascade into an ecosystem-wide disaster.

🛡️
SaaS PenTest

Automated web application penetration testing platform. Helping teams find and fix security vulnerabilities.

Share: X in

Ready to Secure Your Application?

Run automated penetration tests across 9 security modules. Find vulnerabilities in your web applications, APIs, and infrastructure — before attackers do.

Start Free Scan → ← Back to Blog