Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
These articles are AI-generated summaries. Please check the original sources for full details.
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
The CanisterWorm malware has compromised 47 npm packages following an initial supply chain attack on the Trivy security scanner. Aikido Security researcher Charlie Eriksen reports this as the first documented abuse of Internet Computer Protocol (ICP) canisters for fetching command-and-control (C2) servers. The worm automates its spread by harvesting npm tokens from developer environments during the postinstall phase.
Why This Matters
In modern CI/CD pipelines, the ideal model assumes that package installations are passive operations that only pull dependencies. The technical reality of CanisterWorm demonstrates that postinstall hooks can be weaponized to turn developer machines into active propagation vectors. By harvesting npm tokens and programmatically publishing malicious updates, the malware bypasses standard perimeter defenses and targets the trust inherent in the registry system. Furthermore, the use of decentralized ICP canisters as dead drop resolvers challenges traditional IP-based or domain-based blocking strategies. Since the attacker can update the C2 URL within a tamperproof smart contract without modifying the implant, the infrastructure remains resilient to takedown efforts. This shift from centralized C2 to blockchain-based resolvers represents a significant escalation in the persistence and agility of supply chain threats.
Key Insights
- The malware uses ICP (Internet Computer Protocol) canisters as dead drop resolvers to fetch C2 URLs, as documented by Aikido Security in 2026.
- Persistence is established via a systemd user service masquerading as “pgmon” (PostgreSQL tooling) with a “Restart=always” directive.
- The backdoor polls the ICP canister every 50 minutes using spoofed browser User-Agents to retrieve new instructions or binaries.
- A “youtube.com” link serves as a kill switch or dormant state; the script skips execution if the retrieved URL points to YouTube.
- The worm automates propagation using a findNpmTokens() function to locate credentials and deploy.js to push malicious versions to all accessible packages.
Practical Applications
- Use Case: TeamPCP attackers used stolen credentials to publish malicious versions of @EmilGroup and @opengov packages to establish backdoors.
- Pitfall: Storing raw npm authentication tokens in environment variables or configuration files allows the findNpmTokens() function to automate self-propagation.
- Use Case: The malware uses decentralized ICP canisters to change payload URLs dynamically without requiring code updates to the infected hosts.
- Pitfall: Relying on standard process names for monitoring is insufficient, as the malware masquerades as legitimate services like PostgreSQL’s pgmon.
References:
Continue reading
Next article
Understanding the Model Context Protocol (MCP) for AI Integration
Related Content
Cline CLI 2.3.0 Supply Chain Attack: OpenClaw Installed via Compromised NPM Token
Cline CLI 2.3.0 was compromised via a stolen npm token to install OpenClaw, affecting approximately 4,000 downloads during an eight-hour window on February 17, 2026.
Mini Shai-Hulud Worm: Critical Supply Chain Attack Hits TanStack and npm Ecosystem
The Mini Shai-Hulud worm compromised 170+ packages and 500M+ downloads across npm and PyPI by exploiting GitHub Actions OIDC tokens.
PhantomRaven Malware Exploits npm Packages to Steal Developer Secrets
Researchers identify PhantomRaven, a supply chain attack using 126 malicious npm packages to steal GitHub tokens and CI/CD secrets by exploiting remote dependencies and AI-generated package names.