Npm

• The Scanner Got Scanned: How Trivy Became a Supply Chain Weapon March 23, 2026

  On March 19, 2026, attackers compromised Aqua Security's Trivy vulnerability scanner, force-pushing malicious code into 75 GitHub Actions tags and a trojanized v0.69.4 release. Stolen credentials from that breach then fuelled CanisterWorm, a self-propagating npm worm that hit 47 packages and used a decentralised ICP canister as its command server.

• Trivy Supply Chain Attack Escalates: CanisterWorm Self-Spreads to 47 npm Packages March 21, 2026

  The TeamPCP supply chain attack on Trivy's GitHub Actions has escalated: stolen npm tokens are now fuelling CanisterWorm, a self-propagating worm that has already compromised 47+ npm packages using a decentralised ICP canister as C2.

• PhantomRaven: How a Four-Wave npm Campaign Used Remote Dynamic Dependencies to Beat Package Scanning March 12, 2026

  PhantomRaven ran four waves of malicious npm packages from August 2025 to February 2026, stealing developer credentials via a technique called Remote Dynamic Dependencies that places the payload outside the package -- making it invisible to every scanner that inspects package contents.