The attack began with a hack on the Trivy open-source vulnerability scanner software, which many developers rely on to check their code for known security flaws. The threat actor group identified as TeamPCP moved quickly to weaponise the access: they injected credential-stealing malware into official releases on GitHub actions, and were able to publish malicious versions that harvested SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.
What makes this incident particularly concerning is how it escalated beyond the initial compromise. The malware has been updated to be self-propagating, and has compromised nearly 50 npm packages. The attack shifted from a situation where a compromised account publishes malware to one where malware compromises more accounts and publishes itself. Every developer or CI pipeline that installs the package and has an npm token accessible becomes an unwitting propagation vector, with packages getting infected and downstream users installing those packages, and if any of them have tokens, the cycle repeats.
Researchers observed it targeting 28 packages in under 60 seconds, demonstrating the speed and efficiency of the worm's self-replication. The financial incentives alone make this significant; stolen credentials from developer machines grant access to entire portfolios of maintained packages, turning a single compromise into a cascade of contamination across the open-source ecosystem.
The technical architecture reveals sophisticated thinking on the part of the attackers. Rather than relying on traditional centralised servers for command and control, the malware uses an ICP (Internet Compute Project) canister as a dead drop, which is a type of smart contract that is particularly resilient to being brought down due to its distributed nature. Because the C2 channel is through the distributed blockchain immutable database, it makes the malware resilient to takedown efforts and seizures. This marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control server.
The campaign took a troubling turn when researchers detected a weaponised variant. CanisterWorm has received a new destructive payload that is aimed at wiping Kubernetes clusters on Iranian systems. The payload checks the system timezone for "Asia/Tehran" or "Iran" and locale for "fa_IR" to determine its target. On Kubernetes clusters identified as Iranian, it deploys a privileged DaemonSet containing a container named "kamikaze" that mounts the host's root filesystem, deletes everything at the top level, and force-reboots, effectively bricking every node in the cluster including the control plane.
Curiously, an Aikido researcher said the group was apparently just showing off, and hypothesised that it may hold credentials to a much larger number of systems than those that participated in the attack. The malicious canister wasn't serving up malware downloads but pointing visitors to a Rick Roll video on YouTube, with the researcher noting it's a little all over the place, and there's a chance this whole Iran thing is just their way of getting attention.
Organisations that ran Trivy-related tooling between March 19 and March 21 face real exposure. Organisations that ran Trivy-related GitHub Actions during this period should treat all accessible secrets as potentially compromised and rotate them immediately, including SSH keys, cloud provider credentials, Kubernetes tokens, Docker configs, and npm authentication tokens.
The incident exposes a critical vulnerability in how the open-source ecosystem protects itself. Trusted tooling such as security scanners become force multipliers for attackers when compromised. The campaign confirms that worm-like self-propagation has become a recurring technique rather than an isolated incident. The combination of credential harvesting, automated propagation, and resilient decentralised command and control represents a maturation of supply chain attack techniques that merits serious attention from both security vendors and developers who rely on shared code.