Supply chain attacks against developer tooling have become a reliable entry point for credential theft and lateral spread — and a new campaign linked to the Trivy vulnerability scanner compromise shows how quickly that initial foothold can metastasize.
According to the report, the threat actors behind the Trivy supply chain attack — suspected to be a cloud-focused cybercriminal operation known as TeamPCP — have now compromised 47 npm packages with a previously undocumented self-propagating worm called CanisterWorm. The name derives from the malware’s use of an ICP canister, a tamperproof smart contract on the Internet Computer blockchain, as a dead drop resolver for retrieving its command-and-control server address. Aikido Security researcher Charlie Eriksen describes this as the first publicly documented abuse of an ICP canister for that specific purpose.
The infection chain begins with a postinstall hook embedded in malicious npm packages, which executes a loader that drops a Python backdoor. That backdoor contacts the ICP canister every 50 minutes, using a spoofed browser User-Agent, to retrieve a URL pointing to the next-stage payload. Because the dead drop infrastructure is decentralized, it resists takedown. “The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant,” Eriksen said.
Persistence is established through a systemd user service configured with a “Restart=always” directive and a 5-second restart delay, masquerading as PostgreSQL tooling under the name “pgmon” to avoid detection.
The worm’s operational design includes a built-in dormancy mechanism. When the ICP canister points to a youtube.com URL, the backdoor skips execution entirely — a kill switch the attacker can toggle by alternating between a live payload URL and a YouTube link. As of publication, the canister was returning a rickroll video. A similar kill switch was independently identified by Wiz in connection with the trojanized Trivy binary version 0.69.4, which contacts the same ICP canister through a separate Python dropper named “sysmon.py.” The canister itself exposes three methods — get_latest_link, http_request, and update_link — with the last allowing the attacker to modify delivered payloads at will.
Self-Propagation Without Manual Intervention
Initial versions of CanisterWorm relied on a “deploy.js” script that the attacker ran manually using stolen npm tokens to push malicious versions across reachable packages. Aikido assessed the worm to have been coded using an AI tool, and noted it makes no attempt to hide its functionality. “This isn’t triggered by npm install,” the firm said. “It’s a standalone tool the attacker runs with stolen tokens to maximize blast radius.”
More Read
A subsequent mutation detected in @teale.io/eslint-config versions 1.8.11 and 1.8.12 removes that manual dependency entirely. The new variant embeds token-harvesting logic inside a findNpmTokens() function within “index.js,” executed during the postinstall phase. After deploying the persistent backdoor, the script searches the victim’s environment for npm authentication tokens and immediately launches “deploy.js” as a fully detached background process — spreading autonomously without attacker interaction.
The full campaign unfolded within a day of TeamPCP using a compromised credential to publish malicious releases of trivy, trivy-action, and setup-trivy containing a credential stealer, suggesting a deliberately sequenced escalation from targeted tool compromise to broad npm registry infection.
Photo by Anete Lusina on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
