Cybersecurity researchers have identified a significant escalation in the ongoing Trivy supply chain attack, with threat actors deploying a self-spreading malware dubbed CanisterWorm across at least 47 npm packages.
The malware leverages an ICP canister—a tamperproof smart contract on the Internet Computer blockchain—as a decentralized “dead drop” to fetch command-and-control (C2) payloads. According to Charlie Eriksen from Aikido Security, this represents the first publicly documented use of an ICP canister for malware distribution.
Scope of the Attack
The compromised packages include:
- 28 packages under the
@EmilGroup scope
- 16 packages under the
@opengov scope
@teale.io/eslint-config@airtm/uuid-base32@pypestream/floating-ui-dom
The attack follows the publication of trojanized versions of Trivy, trivy-action, and setup-trivy, which contained a credential-stealing component. The operation is attributed to the cybercriminal group TeamPCP.
How CanisterWorm Works
The infection chain begins with a postinstall hook that executes a loader, which then installs a Python backdoor. This backdoor contacts the ICP canister every 50 minutes using a spoofed browser User-Agent to retrieve a URL pointing to the next-stage payload. The canister’s decentralized nature allows the attacker to update or replace the payload without touching infected machines.
Persistence is achieved via a systemd user service configured to automatically restart the backdoor, masquerading as PostgreSQL tooling (pgmon) to avoid detection. A “dormant state” mechanism points the malware at a benign URL, such as a YouTube video, until the attacker switches it to an actual payload.
Additionally, the malware includes scripts (deploy.js and later index.js) that allow it to propagate automatically across npm packages using stolen authentication tokens. In its latest variant, CanisterWorm collects npm tokens directly from the developer’s machine during the postinstall phase and launches the worm without manual intervention.
“This marks the shift from a compromised account publishing malware to malware autonomously compromising and republishing packages,” Eriksen explained. “Developers or CI pipelines with exposed npm tokens inadvertently become propagation vectors, spreading the malware downstream.”
Expanded Impact
Security company Socket reports that CanisterWorm has now affected 141 malicious artifacts spanning over 66 unique npm packages. Analyses by Endor Labs and JFrog describe the malware as both a credential harvester and a payload dropper, designed to weaponize stolen npm tokens to maximize the attack’s reach.
Henrik Plate, head of security research at Endor Labs, noted, “This campaign confirms that worm-like self-propagation has become a recurring tactic in software supply chain attacks, turning a single compromise into an exponentially expanding threat.”
Key Takeaways for Developers
- Audit npm tokens stored in developer environments and CI/CD systems.
- Review installed packages and remove untrusted or suspicious modules.
- Monitor for unusual postinstall activity or unexpected systemd services.
- Apply supply chain security best practices, including dependency validation and token rotation.
The CanisterWorm incident underscores the growing sophistication of supply chain attacks and the risks posed by centralized credential misuse in open-source ecosystems.
