On March 19, 2026, thousands of CI/CD pipelines ran their routine Trivy vulnerability scans. Trivy is one of the most widely deployed open-source security scanners in the cloud-native ecosystem, maintained by Aqua Security. What those pipelines actually executed was a credential stealer.

A threat group tracked as TeamPCP had compromised Aqua Security’s service account and force-pushed malicious code to 76 of 77 trivy-action version tags on GitHub. Within 24 hours, the stolen credentials fueled something new: CanisterWorm, a self-propagating npm worm that uses an Internet Computer Protocol blockchain canister as its command-and-control server. The C2 infrastructure cannot be seized, blocked, or taken down through conventional means.

CISA assigned CVE-2026-33634 (CVSS 9.4) and added it to its Known Exploited Vulnerabilities catalog on March 25.

How the Attack Unfolded

The attack ran in five phases across six days, each phase feeding the next.

Phase 1: Trivy Compromise (March 19). TeamPCP used credentials stolen in a prior incident (a late-February breach of the same infrastructure) to push malicious commits to the aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Actions repositories. They force-pushed 110+ version tags, replacing them with a three-stage credential stealer that the group self-identified as the “TeamPCP Cloud stealer.” The stealer dumped Runner.Worker process memory, swept 50+ credential paths on self-hosted runners, encrypted harvested data with AES-256-CBC and RSA-4096, and exfiltrated via typosquatted domains designed to blend into CI/CD log output.

Every project that ran a Trivy scan during this window pulled the compromised action. The stealer harvested SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker registry credentials, database passwords, npm tokens, shell histories, and TLS private keys.

Phase 2: Docker poisoning. TeamPCP published an infected Trivy binary (v0.69.4) to GitHub Releases and container registries. The malicious binary deployed a systemd service (sysmon.py) that polled the blockchain canister every 50 minutes for instructions.

Phase 3: CanisterWorm deployment (March 20). Using the npm tokens harvested from Phase 1, TeamPCP launched CanisterWorm. The initial wave was manual: a script called deploy.js used stolen tokens to publish malicious patch updates to every npm package the compromised credentials could access. Twenty-eight packages were infected in under 60 seconds. Aikido Security detected the burst at 20:45 UTC when dozens of packages across multiple organizations simultaneously received unauthorized updates.

Phase 4: Self-propagation. Later mutations of CanisterWorm added automatic token theft and malicious publishing in the npm postinstall hook. Every developer or CI pipeline that installed an affected package became an unwitting propagation vector. The worm searched for .npmrc files and environment variables containing npm authentication tokens, passed them to deploy.js, and republished itself across the victim’s entire package portfolio. Socket reported the attack expanded to 141 malicious artifacts across 66+ unique packages.

Phase 5: Escalation. On March 22, TeamPCP defaced all 44 repositories in Aqua Security’s internal “aquasec-com” GitHub organization in a scripted two-minute burst. Every repository was renamed with a “tpcp-docs-” prefix and the description “TeamPCP Owns Aqua Security.” On March 24, LiteLLM was compromised on PyPI, with malicious versions 1.82.7 and 1.82.8 live for approximately five hours. The attack vector: LiteLLM’s CI/CD pipeline used Trivy for scanning, which gave TeamPCP the PyPI publishing token.

The Blockchain C2 Mechanism

CanisterWorm’s C2 architecture is what separates it from prior supply chain attacks. Instead of communicating with a conventional web server (which security teams can block, law enforcement can seize, and hosting providers can shut down), the Python backdoor polls an ICP canister deployed on the Internet Computer blockchain.

ICP is a decentralized network created by the DFINITY Foundation in Switzerland. A “canister” is code that runs autonomously on the network. No single company or host controls it. It cannot be removed through a standard takedown request.

The canister exposes three methods: get_latest_link (retrieve the current payload URL), http_request (serve that URL to the backdoor), and update_link (rotate to a new payload without touching the infected packages). This means TeamPCP can change what executes on infected machines at any time, without republishing a single npm package. The malware researchers at Mend.io confirmed this is the first publicly documented use of an ICP canister for C2 purposes in npm malware.

On the client side, CanisterWorm creates a persistent systemd service disguised as PostgreSQL monitoring (named “pgmon”), configured with Restart=always. Killing the process is not sufficient. The service file must be found and disabled.

As of publication, the ICP canister was returning a YouTube rickroll link, suggesting the attackers paused active payload delivery. But the infrastructure remains live. TeamPCP can resume operations at will.

The Destructive Payload

Aikido Security researchers discovered that CanisterWorm includes a geofenced destructive payload. When the malware detects Tehran’s time zone or Farsi as the primary language on the compromised system, it wipes the Kubernetes cluster and all its nodes. On non-Iranian systems, it defaults to data theft.

The targeting of Iranian infrastructure suggests geopolitical motivation alongside financial crime. TeamPCP has been linked to Docker API and Kubernetes exploitation, ransomware, cryptomining, and extortion. As of March 25, reports indicate the group is working through approximately 300 GB of compressed stolen credentials and collaborating with the LAPSUS$ extortion group to target multi-billion-dollar companies.

Why This Attack Matters

The Trivy compromise inverts the normal security model. The tool deployed to find vulnerabilities became the vulnerability. Organizations that scanned the most diligently had the greatest exposure. Every pipeline that ran Trivy between March 19 and 21 executed the credential stealer.

The cascading nature of the attack is the part that should concern every engineering team. One compromised security tool led to stolen npm tokens, which led to 66+ compromised npm packages, which led to compromised PyPI packages (LiteLLM), which led to access to downstream AI infrastructure used in 36% of cloud environments, according to Wiz.

This pattern matches what we documented in our analysis of the broader AI supply chain attack surface: the tools that developers trust most are the tools attackers target first. And AI tooling, with its concentrated credential access and rapid adoption cycles, amplifies the blast radius.

The blockchain C2 adds a permanent dimension. Previous supply chain worms could be contained by taking down the C2 server. CanisterWorm’s C2 lives on a decentralized network with no takedown mechanism. Future attackers will adopt this technique. The playbook is public, and security researchers assessed the worm’s code was likely developed with AI coding assistance, prioritizing speed over stealth.

What to Do Now

If your organization ran Trivy in any CI/CD pipeline between March 19 and March 24, 2026, treat every secret in that environment as compromised. The verified safe versions: Trivy v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6. Pin all GitHub Actions to full SHA hashes, not version tags. Search for tpcp-docs repositories in your GitHub organization (their presence indicates successful exfiltration). Block scan.aquasecurtiy[.]org and 45.148.10.212 at the network level. Check developer machines for sysmon.py or pgmon systemd services.

If your organization uses LiteLLM, verify you did not install versions 1.82.7 or 1.82.8 from PyPI between 10:39 UTC and 16:00 UTC on March 24. Users of LiteLLM Cloud or the official Docker image were not affected due to strict version pinning.

The deeper lesson: security scanners run with elevated privileges in your most sensitive environments. They should be treated with the same suspicion and verification standards as any other third-party code. Pin to immutable references. Monitor for unauthorized updates. Assume that the supply chain for your security tooling is itself a target.