Signal

Trivy supply chain attack injects credential stealer and spreads via npm packages

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-21 05:35 UTCUpdated 2026-03-21 07:28 UTC

rss

supply_chainmalwarecredential_theftnpmvulnerability_scannerincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

The Hacker News · News · thehackernews.com · 2026-03-21 07:28 UTC

Trivy vulnerability scanner backdoored with credential stealer in supply chain attack

CSO Online · News · csoonline.com · 2026-03-21 05:35 UTC

limited source diversity in top sources

View all evidence

Overview

The popular open-source vulnerability scanner Trivy was compromised in a supply chain attack that injected credential-stealing malware into official releases and GitHub Actions workflows.

Entities

Aqua SecurityTrivyCanisterWormItay Shakury

Score total

0.99

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The attack was disclosed recently, with ongoing follow-on compromises detected.
Immediate secret rotation is critical to prevent further cascading breaches.
The discovery of CanisterWorm highlights evolving attacker tactics exploiting smart contracts.

Why it matters

Trivy is widely used in CI/CD pipelines, so compromise risks widespread exposure of secrets.
Incomplete credential rotation allowed attackers to persist and escalate the breach.
The emergence of a self-spreading worm in npm packages signals a new threat vector in supply chain attacks.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

Trivy vulnerability scanner was backdoored with credential-stealing malware in a supply chain attack.
The attack led to a self-propagating worm called CanisterWorm spreading across 47 npm packages.

How sources frame it

CSO Online: neutral
The Hacker News: neutral

All evidence

Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

The Hacker News · thehackernews.com · 2026-03-21 07:28 UTC

Trivy vulnerability scanner backdoored with credential stealer in supply chain attack

CSO Online · csoonline.com · 2026-03-21 05:35 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

The Hacker News (1)
CSO Online (1)

Top origin domains (this list)

thehackernews.com (1)
csoonline.com (1)