A Security Scanner Became the Weapon: How a Supply Chain Attack on Trivy Spawned a Self-Replicating Worm Across 47 npm Packages

="">

The irony is almost too perfect. Trivy, the open-source vulnerability scanner built by Aqua Security and trusted by thousands of organizations to detect security flaws in their software supply chains, became the vector for a supply chain attack of its own. The compromise didn’t just plant malicious code in one place — it triggered a self-propagating worm that spread across at least 47 npm packages, silently embedding itself in projects that developers around the world pull into their applications every day.

The attack, first reported by Slashdot in late March 2025, represents a new and troubling evolution in how adversaries think about compromising open-source infrastructure. Rather than targeting a single high-value package — the approach seen in past incidents involving event-stream or ua-parser-js — the attackers designed a mechanism that could replicate laterally, infecting adjacent packages through the dependency graph itself. Security researchers have dubbed the payload “CanisterWorm,” a name that reflects both its containerized delivery mechanism and its capacity to spread without further human intervention.

The mechanics of the attack deserve close examination.

Trivy operates by scanning container images, file systems, and code repositories for known vulnerabilities, misconfigurations, and exposed secrets. It’s deeply integrated into CI/CD pipelines at companies ranging from startups to Fortune 500 enterprises. When developers run Trivy against a project, the tool pulls metadata and, in some configurations, executes analysis routines that interact with package registries including npm. The attackers exploited this trust relationship. By injecting a malicious payload into a dependency that Trivy’s scanning process would encounter, they ensured the worm would activate precisely when organizations were performing security checks — the moment defenders believed they were at their most vigilant.

The initial compromise appears to have targeted a lesser-known npm package used as a transitive dependency by several more popular libraries. Transitive dependencies are the packages your packages depend on — the invisible substrate beneath most modern software. Developers rarely audit them directly. Once the malicious code was in place, it executed during installation via npm’s lifecycle scripts, specifically the postinstall hook. This is a well-known attack surface. And yet it continues to work, year after year, because disabling lifecycle scripts breaks legitimate functionality across thousands of packages.

What made CanisterWorm different from previous npm supply chain attacks was its propagation logic. The payload inspected the local environment for npm authentication tokens — stored in .npmrc files or environment variables — and used those credentials to publish modified versions of other packages the compromised developer maintained. Each newly infected package carried the same propagation code. The worm spread not through the network in the traditional sense, but through the software supply chain itself: developer to package, package to developer, developer to more packages. A chain reaction.

Within 72 hours, 47 npm packages had been compromised, according to analysis published by security researchers tracking the incident. Some of these packages had modest download counts in the low thousands. Others were pulled tens of thousands of times per week. The total blast radius — meaning the number of downstream projects potentially affected — is still being calculated, but early estimates suggest hundreds of thousands of installations may have executed the malicious code before npm’s security team began pulling affected versions.

Aqua Security, the company behind Trivy, moved quickly to address the situation. The company confirmed that the core Trivy repository on GitHub was not directly compromised; rather, the attack exploited the way Trivy interacted with already-poisoned packages during scanning operations. A patched version was released that sandboxes certain analysis routines and adds integrity verification for packages encountered during scans. But the damage was already propagating through the dependency graph by the time the fix shipped.

npm, owned by GitHub and by extension Microsoft, revoked publishing credentials for affected maintainer accounts and removed the compromised package versions from the registry. The npm security team also implemented additional monitoring for unusual bulk-publishing patterns, which is how the worm’s activity was ultimately detected — a sudden spike in version bumps across packages maintained by the same set of accounts, all within a narrow time window.

The incident has reignited a debate that’s been simmering in the software security community for years: whether the npm registry’s permissive publishing model is fundamentally incompatible with supply chain security. npm allows any authenticated user to publish packages with essentially no review. Lifecycle scripts execute arbitrary code during installation by default. And the sheer volume of packages — over two million — makes comprehensive monitoring a near-impossible task.

“The npm registry was designed for convenience and speed of iteration,” said one security researcher quoted in coverage of the incident. “It was not designed for a world where nation-states and organized crime groups treat open-source packages as attack surfaces.”

This isn’t the first time npm has been the conduit for a supply chain attack, and it won’t be the last. The 2021 compromise of the ua-parser-js package affected millions of downstream users. The 2022 “peacenotwar” incident saw a maintainer deliberately sabotage their own widely-used package to make a political statement, corrupting data on machines with Russian or Belarusian IP addresses. The Codecov breach, the SolarWinds attack, the 3CX compromise — the pattern is consistent. Attackers are moving upstream, targeting the tools and dependencies that developers trust implicitly.

But CanisterWorm represents an escalation. Previous supply chain attacks were static: compromise one package, wait for downloads. This one was dynamic, actively seeking new hosts and spreading autonomously. The distinction matters. A static attack has a fixed blast radius determined by the popularity of the compromised package. A self-replicating attack has a blast radius that grows exponentially until it’s detected and contained. The difference between a landmine and a virus.

The timing of the attack also raises questions. Trivy has become the de facto standard scanner for container security, embedded in platforms from AWS to GitLab. Targeting the tool that organizations use to verify their supply chain integrity is a sophisticated strategic choice. It undermines confidence in the verification process itself. If your security scanner can be weaponized, what can you trust?

Several mitigation strategies have emerged from the incident. First, organizations are being urged to use npm’s --ignore-scripts flag during installation in CI/CD environments, accepting the trade-off of broken post-install routines in exchange for protection against script-based attacks. Second, the use of lockfiles (package-lock.json) with integrity hashes is being re-emphasized — these can detect when a package’s contents change unexpectedly between installations. Third, companies are increasingly turning to private registries and dependency proxies that cache approved versions of packages and block unapproved updates from flowing into build pipelines.

None of these measures are new. Security professionals have been recommending them for years. Adoption remains patchy at best. The friction of implementing strict dependency management in fast-moving development teams is real, and many organizations have made a calculated bet — sometimes consciously, sometimes not — that the risk of a supply chain attack is lower than the cost of slowing down their engineers.

That calculation just got harder to justify.

The broader implications extend beyond npm. Every major package registry — PyPI for Python, crates.io for Rust, Maven Central for Java, RubyGems for Ruby — faces similar structural vulnerabilities. The open-source model depends on trust: trust that maintainers are who they say they are, trust that published code matches what’s in the source repository, trust that the tools you use to verify integrity are themselves trustworthy. CanisterWorm exploited all three layers of that trust simultaneously.

Governments are paying attention. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been pushing for Software Bills of Materials (SBOMs) as a baseline requirement for federal software procurement. The European Union’s Cyber Resilience Act, expected to take full effect in 2027, will impose liability on software producers — including open-source projects, under certain conditions — for security failures in their supply chains. These regulatory frameworks are still maturing, but incidents like the Trivy compromise accelerate the political pressure to act.

For the developers and maintainers who found their npm tokens hijacked and their packages weaponized, the experience has been harrowing. Several reported on X (formerly Twitter) that they discovered the compromise only when downstream users began filing bug reports about unexpected network connections from their applications. Others learned about it from npm’s security team directly. The emotional toll on open-source maintainers — many of whom are unpaid volunteers — is a dimension of supply chain security that rarely makes it into corporate risk assessments.

So where does this leave the industry? The uncomfortable truth is that the architecture of modern software development — built on deep trees of transitive dependencies, automated installation scripts, and implicit trust in upstream maintainers — is structurally vulnerable to exactly this kind of attack. Fixing it requires more than better scanning tools. It requires rethinking how code is consumed, verified, and trusted at every level of the stack. That’s not a problem any single company or open-source project can solve alone.

The CanisterWorm incident will likely be studied for years as a case study in adversarial creativity. The attackers didn’t just find a vulnerability. They built a system — one that exploited the interconnected nature of modern software to amplify a single point of compromise into a cascading failure across dozens of packages and potentially hundreds of thousands of installations. It’s the kind of attack that security researchers have been warning about in conference talks and white papers for the better part of a decade. Now it’s real. And the question isn’t whether it will happen again, but how quickly the next variant will arrive.