On March 19, 2026, the software supply chain ecosystem faced one of its most sophisticated attacks yet. Threat actor TeamPCP exploited retained credentials to compromise Trivy—a popular open-source vulnerability scanner—cascading the breach across GitHub Actions, Docker registries, and npm packages. The incident demonstrates how incomplete credential rotation after an initial security incident can enable devastating follow-on attacks.

What Happened

The attack began in late February 2026 when TeamPCP (also tracked as DeadCatx3, PCPcat, ShellForce, and CipherForce) exploited a pull_request_target misconfiguration in Trivy's GitHub Actions, according to [Aqua Security](https://www.aquasec.com/blog/autonomous-runtime-security-turning-runtime-intelligence-into-agentic-response-2/). An AI-driven tool called hackerbot-claw stole a privileged Personal Access Token (PAT), enabling repository takeover.

Aqua Security rotated credentials on March 1, 2026—but critically, the rotation was incomplete. TeamPCP retained access via the aqua-bot service account. On March 19 at approximately 17:43 UTC, attackers force-pushed 76 out of 77 tags in the aquasecurity/trivy-action repository and all 7 tags in aquasecurity/setup-trivy, as documented by [Socket](https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise). This triggered automated releases of malicious binaries to GitHub Releases, Docker Hub, GitHub Container Registry (GHCR), and Amazon ECR.

The Trivy team contained the attack by 20:38 UTC—roughly three hours later—removing malicious artifacts and publishing safe versions on March 20. But the damage had already cascaded to the npm ecosystem through a self-propagating worm dubbed CanisterWorm.

Technical Details

The attack unfolded in multiple sophisticated stages, blending into normal CI/CD operations to avoid detection.

Stage 1: Malicious GitHub Actions Payload

The malware embedded in entrypoint.sh executed before legitimate Trivy scans, making detection difficult. According to [CrowdStrike](https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/), the payload scanned /proc//environ and /proc//mem for GitHub runner processes, targeting:

  • SSH keys and GPG keys
  • AWS, GCP, and Azure credentials
  • Kubernetes tokens and Docker credentials
  • Database credentials and Terraform state files
  • Solana keys and Git helper tokens

Stage 2: Encrypted Exfiltration

Stolen data was encrypted using AES-256-CBC with an RSA-4096-wrapped session key, bundled as tpcp.tar.gz. Exfiltration occurred via HTTPS POST to scan.aquasecurtiy[.]org (45.148.10.212)—a typosquatting domain mimicking Aqua's legitimate infrastructure. Fallback exfiltration used victims' own GitHub PATs to create public tpcp-docs repositories, as detailed by [Upwind](https://www.upwind.io/feed/trivy-supply-chain-incident-github-actions-compromise-breakdown).

Stage 3: CanisterWorm Self-Propagation

TeamPCP deployed CanisterWorm, a self-propagating worm that infected 28 npm packages initially, eventually expanding to 141 artifacts across 66+ packages, according to [The Hacker News](https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html). The worm:

  • Harvested npm tokens from ~/.npmrc and environment variables
  • Used stolen tokens to query victims' owned packages
  • Incremented patch versions and republished packages with embedded malware
  • Installed a persistent systemd service named pgmon (masquerading as PostgreSQL monitoring)

What makes CanisterWorm particularly innovative is its command-and-control infrastructure. It uses an ICP canister—a tamperproof smart contract on the Internet Computer blockchain—as a censorship-resistant dead drop resolver, as explained by [Endor Labs](https://www.endorlabs.com/learn/canisterworm). This decentralized approach prevents traditional takedown efforts.

Impact Assessment

The attack exposed CI/CD pipelines worldwide. Organizations using Trivy v0.69.4 or referencing mutable tags (like latest) in their workflows were affected. Detections spiked on Linux GitHub runners on March 19, according to [CrowdStrike](https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/).

The cascading nature of the attack amplified its reach:

  • Direct victims: CI/CD pipelines running compromised Trivy actions had secrets exfiltrated
  • Secondary victims: Developers installing infected npm packages became propagation vectors
  • Tertiary victims: Organizations downstream from compromised publishers received backdoored dependencies

Notably, [Chainguard reported](https://www.chainguard.dev/unchained/chainguard-customers-unaffected-by-the-trivy-supply-chain-attack) that customers using their secure-by-default images were unaffected—a testament to the value of immutable infrastructure and verified builds.

What You Should Do

Immediate Actions:

  1. Avoid Trivy v0.69.4—use v0.69.5 or later with pinned SHA references instead of mutable tags
  2. Rotate all secrets that may have been exposed in CI/CD pipelines during March 19-20, 2026, including cloud provider credentials, SSH keys, and npm tokens
  3. Audit for IOCs: Check for outbound connections to scan.aquasecurtiy[.]org, Cloudflare tunnels like plug-tab-protective-relay.trycloudflare.com, or public repositories named tpcp-docs
  4. Review npm packages: Check for unexpected version bumps or suspicious postinstall scripts in dependencies
  5. Check systemd services: Look for suspicious user services named pgmon

Longer-Term Hardening:

  • Pin GitHub Actions to specific commit SHAs rather than tags or branches
  • Implement comprehensive credential rotation procedures that include service accounts and bot tokens
  • Monitor CI/CD logs for anomalous network connections and file access patterns
  • Consider using reproducible builds and signed artifacts

Lessons Learned

This incident highlights several critical security principles:

1. Credential rotation must be complete. Aqua's partial rotation on March 1 left TeamPCP with continued access. Any credential exposure—especially to service accounts and automation tokens—requires exhaustive enumeration and rotation.

2. Mutable references are dangerous. Tag-based references in CI/CD pipelines can be force-updated by attackers. Pinning to cryptographic hashes provides integrity guarantees.

3. Supply chain attacks cascade. A single compromised repository can propagate across multiple ecosystems. The Trivy compromise spread to Docker registries, then npm packages, demonstrating how interconnected our infrastructure has become.

4. Decentralized C2 is evolving. CanisterWorm's use of blockchain-based command infrastructure represents a troubling trend toward resilient, takedown-resistant malware. Security tools must adapt to detect anomalous blockchain interactions.

5. Defense in depth matters. Organizations with additional controls—like Chainguard's verified builds—remained unaffected even when upstream was compromised.

Resources

  • [Aqua Security Incident Analysis](https://www.aquasec.com/blog/autonomous-runtime-security-turning-runtime-intelligence-into-agentic-response-2/)
  • [CrowdStrike Technical Breakdown](https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/)
  • [Socket: CanisterWorm npm Analysis](https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages)
  • [Endor Labs: CanisterWorm Deep Dive](https://www.endorlabs.com/learn/canisterworm)
  • [The Hacker News Coverage](https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html)