Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

In recent weeks, the security of the npm ecosystem has experienced one of the most dangerous supply chain attacks in history. Attackers, who initially targeted the popular Trivy scanner, spread significantly wider — infecting at least 47 packages on npm with malware called CanisterWorm. This is not an ordinary virus. This is a self-replicating worm capable of spreading independently between projects, using blockchain infrastructure to hide its tracks. The discovery reveals a critical gap in how we develop and distribute software — and suggests that the actual scale of the problem may be much larger than we previously thought.

The attack on Trivy was not accidental. Trivy is a vulnerability scanning tool created by Aqua Security, used by thousands of organizations to identify security threats in their code and container images. By attacking this particular tool, threat actors gained access to an incredibly powerful distribution platform — every developer using Trivy could become an unwitting vector for spreading malware. This is a classic strategy: attack a tool that everyone trusts, and then spread the threat through its natural distribution channels.

Anatomy of CanisterWorm: How the self-replicating worm works

CanisterWorm stands out from traditional malicious npm packages in that it possesses the built-in ability to spread independently. Unlike static trojans that wait for installation, this worm actively searches for new targets and mutates to avoid detection. Its name comes from the use of ICP canisters — tamperproof smart contracts on the Internet Computer blockchain. This is an unusual infrastructure choice that indicates a significantly more sophisticated level of sophistication than typical supply chain attacks.

The spreading mechanism relies on several key components. First, the worm scans `package.json` files on systems it has access to, identifying project dependencies. It then attempts to infect those dependencies, modifying their content in such a way that when a package is installed by a new developer, the malware automatically replicates itself. This resembles a biological virus — each infected package becomes a source of infection for subsequent projects.

The use of ICP canisters as command and control (C2) infrastructure is particularly clever. The Internet Computer blockchain offers features that traditional C2 servers cannot provide: the impossibility of deleting or modifying data once written, a decentralized nature that makes geolocation and blocking difficult, and the ability to operate outside traditional internet infrastructure. For attackers, this means they can communicate with their malware without fear of detection or disruption through traditional security measures.

47 packages — is this the end of the list?

Officially, 47 npm packages have been confirmed as infected, but this number raises more questions than it answers. How long did the worm spread undetected? How many packages could have been infected before security teams noticed anomalies? The history of supply chain attacks teaches us that discovered threats are usually just the tip of the iceberg.

Packages in npm are deeply interconnected — a project may depend on dozens of libraries, which in turn depend on hundreds of others. This dependency graph creates a network where one infected library can potentially affect millions of projects. If CanisterWorm managed to infect 47 packages before detection, the number of projects that could have downloaded infected code potentially reaches millions.

Particularly concerning is that some of the infected packages were popular libraries with high download rates. When such packages become infected, the virus spreads exponentially. Organizations that automatically update dependencies (which is considered best practice) may have unknowingly downloaded infected code into their production systems.

Trivy as the entry point — why this tool?

The choice of Trivy as the initial attack target was not accidental. Aqua Security, the creator of Trivy, is known for advanced security tools, and Trivy is widespread in the DevOps and CI/CD ecosystem. The tool is installed on developer machines, build servers, and in automation systems — places with high privileges and access to source code.

By attacking Trivy, threat actors gained access to an ideal distribution vector. Every developer who ran Trivy to scan their projects could unknowingly download infected code. If the infected version of Trivy was distributed through official channels (such as npm), the number of potential victims increased dramatically.

This also suggests that the attackers had significant knowledge of the npm ecosystem and which tools are critical for security. Rather than attacking a random package, they chose a target that would maximize their impact. This means we are dealing with threat actors who conducted substantial reconnaissance before the attack.

Blockchain as malware infrastructure — a new trend

The use of ICP canisters for C2 communication represents an evolution in how attackers build their infrastructure. Traditionally, malware communicates with its operators through DNS servers, HTTP, or other protocols that can be monitored and blocked. Blockchain changes this balance.

Internet Computer is a platform that allows running decentralized applications with near-perfect reliability. A canister is a computational unit on this platform — something like a virtual machine that executes code and stores data. Once deployed, a canister cannot be deleted by any single party, and its data is distributed across the network.

For attackers, this means infrastructure that is practically impossible to shut down. Even if security firms identify the canister address, they cannot delete or block it. They can only block connections to it at the network level, but this requires active monitoring and quick response. In the meantime, malware can communicate with operators, send data, and receive new instructions.

This is not the first time blockchain has been used for malicious purposes, but it is one of the more advanced examples. It points to a trend in which attackers seek alternative infrastructures that can evade traditional defensive measures. If this trend continues, cybersecurity organizations will need to develop new ways to monitor and block blockchain-based communications.

Supply chain as the weakest link

The CanisterWorm attack reveals a fundamental weakness in how the modern software ecosystem is built. Almost every project depends on hundreds or thousands of external libraries. Each of these libraries is a potential entry point for attackers. Even if your own application is perfectly secured, it can be infected through a contaminated dependency over which you have no control.

The problem is compounded when considering the scale of npm. The repository contains over 2 million packages, and this number is constantly growing. Moderating such an amount of code is practically impossible. npm has security teams, but they cannot review every package before publication. They rely mainly on community reports and automated scans, which may miss advanced threats.

Supply chain attacks are particularly dangerous because they cannot be easily detected using traditional security tools. If an infected package is properly signed and comes from an official repository, traditional controls may miss it. Only advanced behavioral analysis or detailed code review can reveal the problem.

Industry response and implications for ZTNA

The CanisterWorm attack has serious implications for how organizations approach security. The traditional approach — relying on trusting the internal network and assuming everything inside is safe — is clearly insufficient. If an infected npm package can end up in production systems, it means that traditional security perimeter is not functioning.

This is where Zero Trust Network Access (ZTNA) comes in. Instead of relying on a perimeter, ZTNA assumes that every connection, every application, and every user can be a threat. Every access request must be verified, authorized, and monitored — regardless of whether it comes from inside or outside the network.

In the context of the CanisterWorm attack, ZTNA offers several important protections:

• Microsegmentation — if an infected package gets into the system, it can be isolated from the rest of the infrastructure, limiting its spread
• Communication monitoring — any attempt to communicate with malicious C2 can be detected and blocked, regardless of whether it originates from inside or outside
• Identity-based access control — even if code is infected, it may not have permissions to access sensitive systems
• Behavioral analysis — unusual behavior of infected code can be quickly detected and stopped

For organizations that have implemented ZTNA, the CanisterWorm attack would be far less catastrophic. The infected package could install, but its capabilities would be limited by zero trust-based access policies. For those still relying on the traditional perimeter security model, the consequences could be much more severe.

The future of supply chain attacks

CanisterWorm is a warning for the industry. Attackers are becoming increasingly sophisticated, and their tools increasingly advanced. The use of blockchain for C2 infrastructure is just the beginning. We can expect that in the future, attackers will experiment with other technologies — from peer-to-peer networks to mesh networks — to build infrastructure that is resilient to traditional defensive measures.

At the same time, organizations must change how they approach supply chain security. It is no longer enough to rely on npm and other repositories to monitor threats. Every organization must implement its own controls — from scanning packages before installation, through behavioral monitoring of code in production, to implementing ZTNA to limit damage in case of compromise.

The CanisterWorm attack is a turning point for software security. It shows that traditional approaches to security are insufficient in a world where code comes from untrusted sources and depends on countless external libraries. The future of security will be based on the assumption that every code, every connection, and every system can be a threat — and that the only effective defense is zero trust.