Supply-Chain Attack on Trivy Scanner Spreads CanisterWorm and Credential Stealer

On March 19, 2026, threat actors compromised Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions. The breach, now assigned CVE-2026-33634 with a CVSS score of 9.4, has since cascaded into one of the most consequential supply-chain incidents of the year, spawning a self-propagating npm worm, a Kubernetes wiper, and the defacement of dozens of internal Aqua repositories.

The breach was first disclosed by security researcher Paul McCarty, who warned that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users. The first known detection of suspicious activity traces back to approximately 19:15 UTC. The threat actor, self-identifying as TeamPCP, made imposter commits spoofing legitimate contributors, and at 17:43:37 UTC the Trivy repository's v0.69.4 tag was pushed, triggering a release.

The root cause was a failure of nerve during an earlier cleanup. Aqua Security confirmed that on March 19 a threat actor used a compromised credential to publish malicious trivy (v0.69.4), trivy-action, and setup-trivy releases, as a follow-up from an incident on March 1 that had already exfiltrated credentials. "Our containment of the first incident was incomplete," Aqua stated. "We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens."

The scale of the tag poisoning was sweeping. Socket identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI/CD pipelines. The action was compromised for approximately 12 hours, with a credential stealer injected via imposter commits affecting all tags from 0.0.1 through 0.34.2. Seven tags in setup-trivy were also overwritten, and the only safe trivy-action tag was version 0.35.0. The attack fetched credential stealer code from a typosquatted domain and resulted in backdoored binaries published to GitHub Releases, Docker Hub, the GitHub Container Registry, and Amazon ECR.

The malicious versions of these actions ran a tool self-described as "TeamPCP Cloud stealer," which dumped Runner.Worker process memory, harvested SSH, cloud, and Kubernetes secrets, encrypted the data using AES-256 with RSA-4096, and exfiltrated it to a remote server. Beyond cloud credentials for AWS, GCP, and Azure, the payload placed heavy emphasis on Solana validator keypairs and cryptocurrency wallets. The malware was also configured to create a repository named tpcp-docs in the victim's GitHub account as a fallback exfiltration method.

The attack did not stop at GitHub Actions. Newly published Trivy Docker images tagged 0.69.4, 0.69.5, and 0.69.6 were found to contain infostealer indicators of compromise and were pushed to Docker Hub without corresponding GitHub releases. All 44 repositories in Aqua Security's internal "aquasec-com" GitHub organization were modified in a scripted two-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. Every repository was simultaneously renamed and defaced, prefixed with "tpcp-docs-" and carrying the description "TeamPCP Owns Aqua Security." The compromised organization contained proprietary source code including Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases.

With stolen npm publish tokens in hand, TeamPCP then turned the credential haul into a spreading worm. The threat actors conducted follow-on attacks that led to the compromise of a large number of npm packages with a self-propagating worm dubbed CanisterWorm, named for its use of an ICP canister — a tamperproof smart contract on the Internet Computer blockchain — as a dead drop resolver. Socket said the CanisterWorm supply chain attack expanded to 141 malicious package artifacts spanning more than 66 unique packages. A subsequent mutation of CanisterWorm detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 was found to steal npm tokens and self-propagate without any need for manual intervention.

The actor's ambitions extended beyond theft. A new payload attributed to TeamPCP was found to wipe entire Kubernetes clusters located in Iran, using the same ICP canister linked to CanisterWorm and running checks to identify Iranian systems. Aikido security researcher Charlie Eriksen described the payload's logic: "On Kubernetes: deploys privileged DaemonSets across every node, including control plane. Iranian nodes get wiped and force-rebooted via a container named 'kamikaze.' Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non-K8s Iranian hosts get 'rm -rf / no-preserve-root.'"

TeamPCP is a cloud-native threat actor active in 2025 and 2026, also known as DeadCatx3, PCPcat, ShellForce, and CanisterWorm, tracked by multiple security teams for Docker API and Kubernetes exploitation, supply chain attacks, ransomware, cryptomining, and self-propagating worms. Wiz and Aikido both attribute the Trivy compromise to TeamPCP; Socket validated the malware mechanics but stopped short of a firm attribution, noting that the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.

In a formal update on March 23, 2026, Aqua Security said its investigation is "actively focused on validating that all access paths have been identified and fully closed," adding there is no indication its commercial products were impacted. Security teams are advised to audit GitHub organizations for any repositories named tpcp-docs, treat all pipeline secrets exposed during the March 19-20 window as compromised, and pin GitHub Actions to full, immutable commit SHA hashes rather than mutable version tags.