Github-Actions

• The Scanner Got Scanned: How Trivy Became a Supply Chain Weapon March 23, 2026

  On March 19, 2026, attackers compromised Aqua Security's Trivy vulnerability scanner, force-pushing malicious code into 75 GitHub Actions tags and a trojanized v0.69.4 release. Stolen credentials from that breach then fuelled CanisterWorm, a self-propagating npm worm that hit 47 packages and used a decentralised ICP canister as its command server.

• The GitHub Actions Trap That Let a Bot Steal Trivy's Release Keys March 23, 2026

  On February 28, 2026, an autonomous bot called hackerbot-claw exploited a pull_request_target misconfiguration in Aqua Security's Trivy repository, stole an org-scoped PAT, and deleted 178 releases. The vulnerability is not obscure -- it is in thousands of public repos right now.

• Trivy Supply Chain Attack Escalates: CanisterWorm Self-Spreads to 47 npm Packages March 21, 2026

  The TeamPCP supply chain attack on Trivy's GitHub Actions has escalated: stolen npm tokens are now fuelling CanisterWorm, a self-propagating worm that has already compromised 47+ npm packages using a decentralised ICP canister as C2.