CanisterWorm Malware

A sophisticated supply chain attack initially targeting the widely used Trivy scanner has escalated into a broader compromise affecting numerous npm packages. The threat actors behind the campaign are suspected of deploying a previously undocumented self-propagating worm known as CanisterWorm, significantly increasing the scale and impact of the intrusion.

The malware derives its name from its use of an Internet Computer Protocol (ICP) canister, tamper-resistant smart contracts hosted on a decentralized blockchain, as part of its command infrastructure. This marks the first publicly documented instance of ICP canisters being weaponized to retrieve Command-and-Control (C2) endpoints, introducing a novel and resilient tactic that complicates traditional mitigation efforts.

Compromised Packages and Initial Access Vector

The attack has impacted multiple npm packages across different scopes, demonstrating a wide blast radius within the software supply chain:

• 28 packages under the @EmilGroup scope
• 16 packages under the @opengov scope
• Additional packages including @teale.io/eslint-config, @airtm/uuid-base32, and @pypestream/floating-ui-dom

This campaign follows closely on the heels of a credential compromise that enabled attackers to publish malicious versions of Trivy-related tools, specifically trivy, trivy-action, and setup-trivy, which contained embedded credential-stealing functionality. The operation is believed to be linked to a cloud-focused cybercriminal group identified as TeamPCP.

Infection Workflow and Decentralized Command Infrastructure

The infection chain begins during the npm package installation process, where a postinstall script executes a loader. This loader deploys a Python-based backdoor designed to communicate with the ICP canister. The canister acts as a dead drop resolver, returning a URL that directs the infected system to download and execute the next-stage payload.

The decentralized nature of the ICP infrastructure provides a significant advantage to the attackers. Since the canister can dynamically update the payload URL, threat actors can distribute new malicious binaries across all infected systems without modifying the deployed malware itself. This architecture also makes takedown efforts considerably more challenging.

Persistence Mechanism and Stealth Techniques

Persistence is achieved through the creation of a systemd user service configured to automatically restart the malicious process. Key characteristics include:

• Automatic restart enforced via the Restart=always directive
• A 5-second delay before relaunching the backdoor if terminated
• Disguising the service as legitimate PostgreSQL monitoring software under the name 'pgmon'

This approach ensures continuous operation while minimizing the likelihood of detection by blending in with legitimate system services.

Adaptive Payload Delivery and Kill Switch Behavior

The backdoor periodically communicates with the ICP canister every 50 minutes, using a spoofed browser User-Agent to avoid suspicion. The returned URL determines the next action:

• If the URL points to a valid payload, the malware downloads and executes it
• If the URL contains 'youtube.com,' the malware enters a dormant state

This mechanism effectively serves as a remote kill switch. By toggling the canister's URL between a benign YouTube link and a malicious payload, the attacker can activate or deactivate the malware across all infected systems. Notably, previously executed payloads continue running in the background, as the malware does not terminate earlier processes.

A similar YouTube-based kill switch has also been observed in a trojanized Trivy binary (version 0.69.4), which communicates with the same ICP infrastructure via a separate Python dropper.

Worm Capabilities and Automated Propagation

Initially, propagation relied on a manually executed script named deploy.js, which leveraged stolen npm authentication tokens to inject malicious code into accessible packages. This script was not triggered during installation but served as a standalone tool to expand the attack's reach.

Subsequent variants of CanisterWorm have evolved significantly. In newer versions, such as those found in @teale.io/eslint-config (versions 1.8.11 and 1.8.12), the worm incorporates self-propagation directly into the package's installation process. The updated mechanism includes:

• Extraction of npm authentication tokens from the infected environment
• Immediate execution of the propagation routine as a detached background process
• Automated publishing of compromised packages using harvested credentials

This shift transforms the attack from a manually operated campaign into a fully autonomous propagation system.

Escalation into a Self-Sustaining Supply Chain Threat

The introduction of automated token harvesting and self-propagation marks a critical escalation. Any developer workstation or CI/CD pipeline that installs a compromised package and contains accessible npm credentials becomes an active propagation node. This creates a cascading effect in which infected packages lead to further infections across downstream dependencies.

At this stage, the threat evolves beyond isolated account compromise into a self-sustaining ecosystem of malware distribution. Each newly infected environment contributes to the spread, enabling exponential growth and making containment significantly more difficult.

Compounding the concern, testing artifacts such as a placeholder payload ('hello123') indicate that the attackers are actively refining and validating the attack chain before deploying fully operational malicious binaries.