The security tooling you trust to catch vulnerabilities is now the vulnerability. This week: a compromised scanner spawned a self-propagating worm, an AI workflow platform was exploited before any patch existed, and stolen tokens led to 400+ repository takeovers.
Trivy Compromised, CanisterWorm Born
On March 19, threat actors compromised Trivy, the popular open-source vulnerability scanner maintained by Aqua Security. The attackers injected credential-stealing malware into official releases and GitHub Actions.
But that was just the beginning.
Using stolen CI/CD secrets, the attackers launched follow-on attacks that spawned CanisterWorm—a self-propagating worm that has now infected 141 malicious package artifacts across 66 npm packages.
How CanisterWorm Spreads
The worm gets its name from a technical first: it uses an ICP canister (a smart contract on the Internet Computer blockchain) as a dead-drop resolver for its command-and-control server. This is the first publicly documented case of attackers abusing blockchain infrastructure this way for C2 communication.
CanisterWorm works in two stages:
- A credential harvester scans developer machines for npm authentication tokens from multiple locations
- A secondary “deploy.js” script uses those tokens to propagate malicious code across all packages the victim maintains
The campaign, attributed to a group called TeamPCP, has infected over 1,000 SaaS environments and continues to spread.
What This Means
Security scanners run with elevated privileges in CI/CD pipelines. When they’re compromised, attackers get access to the most sensitive parts of your infrastructure: deployment credentials, signing keys, and production secrets. The irony of a security tool becoming the attack vector is not lost on anyone.
Langflow: 20 Hours from Disclosure to Exploitation
Sometimes patches don’t help because attackers move faster.
A critical vulnerability in Langflow, the open-source AI workflow platform, was exploited in the wild within 20 hours of the advisory’s publication—with no public proof-of-concept code available.
CVE-2026-33017 (CVSS 9.3) combines missing authentication with code injection. The /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. When an attacker supplies flow data containing malicious Python code, that code gets passed directly to exec() with zero sandboxing.
Attack Timeline
According to Sysdig, automated scanning began on March 18 at 16:04 UTC—just 20 hours after the advisory dropped. Four IP addresses sent identical payloads within minutes, suggesting one attacker using multiple VPS nodes.
The attacks targeted Langflow versions through 1.8.1. Exfiltrated data included API keys and database credentials, with potential for supply chain compromise.
Why This Matters
AI workflow tools like Langflow connect to databases, APIs, and other services. A compromised instance exposes everything it’s connected to. And when attackers can weaponize vulnerability disclosures faster than users can patch, traditional “update immediately” advice becomes inadequate.
GlassWorm + ForceMemo: 400+ Repos Hijacked
The GlassWorm campaign that emerged in February has evolved into a full supply-chain attack. Using tokens stolen from infected developer machines, attackers have force-pushed malware into hundreds of Python repositories.
The earliest injections date to March 8. Researchers from Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components.
How It Works
GlassWorm spreads through malicious VS Code and Cursor extensions. Once installed, its stage 3 payload harvests GitHub tokens from:
git credential fill- VS Code extension storage
~/.git-credentials- The
GITHUB_TOKENenvironment variable
With valid tokens in hand, attackers rebase legitimate commits with malicious code, then force-push—keeping the original commit message, author, and timestamp intact. Unless you’re checking commit hashes, the tampering is nearly invisible.
The malware queries a Solana wallet’s transaction memo field to retrieve payload URLs, another example of blockchain infrastructure being abused for C2.
Targets
Django apps, ML research code, Streamlit dashboards, and PyPI packages have all been hit. The attack specifically targets files like setup.py, main.py, and app.py—files that execute automatically during installation or runtime.
On the Defense Side: Betterleaks
Not all news is bad. Betterleaks, a new open-source secrets scanner, launched this week with a design specifically optimized for AI coding agents.
Created by Zach Rice (who wrote the original Gitleaks), Betterleaks uses flag-based output control so AI agents running in Claude Code or Cursor can consume scan results without token overhead. The tool achieves 98.6% recall against the CredData dataset, compared to 70.4% for entropy-based detection.
Key improvements:
- Validation logic written in Common Expression Language for programmatic control
- Automatic handling of doubly and triply encoded secrets
- Parallelized git scanning
- Pure Go implementation (no Hyperscan dependency)
If you’re using AI coding agents, having a secrets scanner that speaks their language matters.
What You Can Do
For Trivy/CanisterWorm:
- Audit your npm packages for unauthorized changes
- Rotate CI/CD secrets if you used Trivy between March 19-24
- Check for unexpected outbound connections to ICP canisters
For Langflow:
- Update to version 1.8.2 or later immediately
- Check logs for requests to
/api/v1/build_public_tmp/ - Rotate any credentials stored in your Langflow instance
For GlassWorm/ForceMemo:
- Verify commit hashes on critical Python dependencies
- Check for unauthorized VS Code/Cursor extensions
- Enable push protection on GitHub repositories
- Consider requiring signed commits
The pattern is clear: developers are the target. AI agents, coding tools, and CI/CD pipelines are the attack surface. The tools meant to protect us are increasingly what attackers compromise first.