Two unrelated supply chain campaigns discovered this week share a notable architectural choice: both use blockchain networks as their command-and-control infrastructure.
CanisterWorm — Internet Computer Protocol as C2
CanisterWorm targeted the npm ecosystem, specifically backdooring Trivy — the container vulnerability scanner that’s embedded in most CI/CD pipelines. The malicious payload phones home to a canister on the Internet Computer Protocol network, making the C2 channel effectively uncensorable and extremely difficult to take down.
The irony of a security scanner being the attack vector is not lost on anyone.
GlassWorm — Solana as C2
GlassWorm went after Rust crates, injecting AI-automated PAT (Personal Access Token) theft into seemingly legitimate packages. Its C2 channel runs through Solana transaction metadata — the attackers encode commands in memo fields of otherwise normal-looking transactions.
Why blockchain C2 matters
Traditional C2 takedowns rely on seizing domains or IP addresses. Blockchain-based C2 removes that lever entirely. The infrastructure is decentralized, censorship-resistant by design, and the C2 traffic looks like normal blockchain API calls.
This is likely the beginning of a trend, not an anomaly. Expect to see more threat actors adopting blockchain infrastructure as defenders get better at traditional C2 takedowns.
Impact assessment
If you run Trivy in your pipeline (and if you scan containers, you probably do), audit which versions you pulled in the last two weeks. The compromised versions were live for roughly three hours before detection, but npm’s 83M+ weekly downloads mean the blast radius is significant.
For Rust crate consumers: cargo audit your dependency tree and check for any crates that appeared or were updated in the last week from maintainers with thin contribution histories.