CanisterWorm: How a Self-Propagating npm Worm Uses Blockchain C2 to Wipe Kubernetes Clusters

In March 2026, security researchers at Socket, Aikido, and JFrog disclosed CanisterWorm — a self-propagating supply chain worm that hijacks npm publisher accounts, implants blockchain-backed backdoors, and carries a destructive payload capable of bricking entire Kubernetes clusters . This isn't a theoretical threat. It's active, evolving, and has already compromised 29+ packages. This article breaks down CanisterWorm's kill chain, explains the blockchain C2 mechanism in detail, and provides concrete detection and mitigation steps for developers and platform teams. The Kill Chain: From Stolen Token to Cluster Wipe Stage 1: Credential Harvest CanisterWorm's initial access vector traces back to the Trivy supply chain compromise — where threat actors (TeamPCP) injected credential-stealing code into Aqua Security's popular vulnerability scanner. Developers who ran the compromised Trivy binary had their npm tokens, SSH keys, and cloud credentials silently exfiltrated. The stolen npm tokens b