An AI bot just turned Trivy into the malware it detects

The Security Scanner That Became the Threat

Trivy, an open-source vulnerability scanner built by Aqua Security, is one of the most trusted names in software security. With 34,200 GitHub stars and over 100 million Docker Hub pulls, it sits inside the automated build pipelines (the systems that automatically test and deploy code) of more than 10,000 publicly visible projects. On March 19, 2026, it became the very thing it was built to catch.

An AI-powered hacking tool called "hackerbot-claw" had autonomously scanned public code repositories for exploitable misconfigurations — and found one in Trivy's own infrastructure. The result: a cascading supply chain attack (where hackers compromise a trusted tool to reach everyone who uses it) that has already hit over 1,000 companies, with Mandiant estimating the final count could reach 5,000 to 10,000.

How an AI Bot Cracked the Door Open

The attack story begins on February 28, 2026. The autonomous tool "hackerbot-claw" exploited a misconfigured pull_request_target workflow (a GitHub automation rule that runs code when someone submits changes) to steal a Personal Access Token bound to Aqua Security's entire GitHub organization. Aqua discovered the breach and rotated credentials — but the rotation was incomplete.

The attackers, a cybercriminal group called TeamPCP (also tracked as DeadCatx3 and ShellForce), sat on the surviving credentials for three weeks. Then, on March 19 at 17:43 UTC, they struck: force-pushing malicious code to 75 of 76 trivy-action version tags and 7 setup-trivy tags. Any CI/CD pipeline (automated system that builds and deploys software) referencing these tags immediately executed attacker-controlled code.

A poisoned Trivy v0.69.4 flowed through automated release pipelines across GitHub Releases, Docker Hub, GHCR, and Amazon ECR — reaching developers before anyone noticed.

What the Malware Actually Stole

The malicious code was a credential stealer on steroids. It read directly from process memory (/proc/<pid>/mem) on GitHub Actions runners, bypassing log masking (the safety feature that hides secrets in build logs) to harvest:

• SSH keys and cloud credentials (AWS, GCP, Azure)
• Kubernetes tokens (access keys for container orchestration systems)
• Docker registry credentials and database passwords
• TLS private keys and cryptocurrency wallet files

All stolen data was encrypted with AES-256-CBC wrapped in RSA-4096 (military-grade encryption layers), then sent to a typosquatted domain — scan.aquasecurtiy[.]org — designed to look like the real Aqua Security site. Notice the subtle misspelling: "securtiy" instead of "security."

CanisterWorm — The First Self-Spreading Digital Parasite on npm

Here's where the attack crosses into unprecedented territory. Using stolen npm tokens (authentication credentials for the JavaScript package registry), TeamPCP deployed CanisterWorm — a self-propagating worm that infected 141 malicious artifacts across 66+ unique npm packages.

The worm harvests authentication tokens from developer machines, queries the package registry, identifies packages the victim maintains, increments patch versions, and republishes infected copies — all automatically. Security researcher Charlie Eriksen at Aikido Security called it the inflection point: "Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector."

Twenty-eight packages were compromised in under 60 seconds.

A Blockchain-Powered Kill-Proof Command Center

CanisterWorm is also the first documented malware to use ICP blockchain canisters (decentralized smart contracts that run on a blockchain network) as its command-and-control resolver. Instead of pointing to a traditional server that authorities can seize, the worm checks a blockchain canister for instructions. As Eriksen explained: "The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant."

The ICP canister wasn't taken down for policy violations until March 23 — four full days after the attack began. When dormant, the kill switch returned YouTube rickroll links, making detection harder.

Persistence was equally clever: a systemd service named "pgmon" masqueraded as PostgreSQL monitoring software, set to restart every 5 seconds and poll the command server every 50 minutes.

The Blast Radius Keeps Growing

The campaign didn't stop at Trivy. By March 24, TeamPCP had also compromised:

• Checkmarx AST and KICS — additional security scanning tools (hijacked March 23)
• LiteLLM — an AI model gateway (a tool that connects apps to AI services) with 95 million monthly downloads, present in 36% of cloud environments monitored by Wiz
• Malicious VS Code extensions — targeting developers directly in their code editors

All 44 repositories in Aqua Security's GitHub organization were simultaneously renamed and defaced on March 22. Mandiant CTO Charles Carmakal confirmed: "We are aware of over 1,000 SaaS environments actively dealing with this threat actor."

TeamPCP claims to have exfiltrated 300 GB of compressed credentials and 500,000+ accounts. By March 25, they pivoted to extortion, reportedly partnering with the notorious LAPSUS$ group to target multi-billion-dollar companies. The attack carries a CVSS score of 9.4 out of 10 under CVE-2026-33634.

A destructive wiper payload was also discovered that specifically targets Kubernetes clusters belonging to Iranian organizations — triggered by Tehran timezone or Farsi language detection — adding a geopolitical dimension to what began as a financially-motivated attack.

AI Wrote the Attack, Found the Vulnerability, and Built the Worm

Perhaps the most unsettling detail: researchers suspect the worm code itself was "vibe-coded" (generated using AI coding tools), following the playbook of 2025's "Shai-Hulud" worm — the first known self-propagating npm supply chain worm. Combined with the AI-powered "hackerbot-claw" that found the initial vulnerability, this marks a full-circle moment: AI was used to find the weakness, exploit it, and write the malware that spread from it.

Chainguard CEO Dan Lorenc identified "six fundamental design failures in GitHub Actions" that enabled this campaign, calling the platform's current security design "plain irresponsible today."

If your team uses any of the affected tools, the remediation steps below are critical. For a deeper understanding of how AI is reshaping both security tools and security threats, explore our guides on AI automation.

How to Check If You're Affected

# 1. Search for compromised Trivy references in your workflows
grep -r "trivy" .github/workflows/ | grep -v "0.69.3"
npm ls | grep -E "@emilgroup|@opengov|@teale.io|@airtm|@pypestream"

# 2. Check for the persistence mechanism on your system
ls ~/.config/systemd/user/pgmon.service
ls /tmp/pglog /tmp/.pg_state

# 3. Stop and remove persistence if found
systemctl --user stop pgmon.service
systemctl --user disable pgmon.service
rm -rf ~/.config/systemd/user/pgmon.service
rm -rf ~/.local/share/pgmon/ /tmp/pglog /tmp/.pg_state

# 4. Rotate all npm tokens immediately
npm token revoke <token>

# 5. Pin GitHub Actions to full SHA hashes (not version tags)
# BEFORE: uses: aquasecurity/trivy-action@v0.28.0
# AFTER:  uses: aquasecurity/trivy-action@<full-sha-hash>

# Safe versions: Trivy v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6

For more on protecting your automated workflows, visit our latest security coverage.

Related Content — Get Started | Guides | More News