In late February and March 2026, a widespread supply chain campaign orchestrated by a threat actor known as TeamPCP (associated with the "CanisterWorm" malware) compromised over 50 open-source libraries across multiple ecosystems, including PyPI, npm, Docker Hub, and GitHub Actions.
While the campaign impacted dozens of libraries, notable targets included the litellm library on PyPI (versions 1.82.7 and 1.82.8) and Aqua Security's vulnerability scanner, Trivy (CVE-2026-33634).
Appian has investigated this broader campaign and affected services, and determined that it is not impacted. No vulnerable versions of the affected libraries associated with the TeamPCP/CanisterWorm compromise are present in the Appian Cloud environment or any of Appian’s products. We will continue to monitor the situation and provide any updates as appropriate.
The following CVE was released with additional information on the scope of the vulnerability:
CVE-2026-33634 - (Aquasecurity Trivy Embedded Malicious Code Vulnerability)
This article applies to all supported versions of Appian.
Last reviewed: April 2, 2026