A sophisticated supply chain attack on Trivy scanner has evolved into CanisterWorm, a self-propagating malware that compromises npm packages and spreads using stolen credentials and decentralized C2 infrastructure.
A sophisticated supply chain attack targeting the popular Trivy security scanner has evolved into a self-propagating malware campaign dubbed CanisterWorm, which has compromised 47 npm packages across multiple scopes. The attack represents a significant escalation in supply chain threats, leveraging decentralized infrastructure and automated propagation mechanisms to maximize its reach.
The Evolution of the Attack
The threat actors behind the initial Trivy compromise are suspected to be conducting follow-on attacks that have led to the widespread compromise of npm packages. The name "CanisterWorm" refers to the malware's use of an ICP (Internet Computer Protocol) canister as a dead drop resolver - marking the first publicly documented abuse of ICP canisters for explicitly fetching command-and-control server addresses.
According to Aikido Security researcher Charlie Eriksen, this decentralized approach makes the infrastructure resilient to takedown efforts. "The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant," Eriksen explained.
Affected Packages
The compromised packages span multiple scopes:
- 28 packages in the @EmilGroup scope
- 16 packages in the @opengov scope
- Individual packages including @teale.io/eslint-config, @airtm/uuid-base32, and @pypestream/floating-ui-dom
Infection Mechanism
The attack chain begins with a postinstall hook that executes a loader script, which drops a Python backdoor responsible for contacting the ICP canister. This backdoor phones the canister every 50 minutes using a spoofed browser User-Agent to fetch URLs in plaintext.
Persistence is established through a systemd user service configured to automatically restart the Python backdoor after a 5-second delay if terminated. The service masquerades as PostgreSQL tooling ("pgmon") to avoid detection.
The YouTube Kill Switch
Interestingly, the malware incorporates a kill switch mechanism: if the URL contains "youtube.com," the script skips execution. This dormant state allows attackers to arm or disarm the implant by switching between actual payloads and YouTube links. Currently, the URL returned by the C2 points to a Rickroll video, suggesting the infrastructure is in a dormant state.
Self-Propagation Evolution
The attack has evolved beyond its initial scope. A subsequent iteration detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 can self-propagate without manual intervention. Unlike the original "deploy.js" script that required manual execution with stolen npm tokens, this new variant incorporates propagation functionality directly into "index.js" through a findNpmTokens() function.
This function runs during the postinstall phase to collect npm authentication tokens from the victim's machine, then spawns the worm immediately using those tokens by launching "deploy.js" as a detached background process.
AI-Generated Malware
Security researchers assess that CanisterWorm was vibe-coded using an artificial intelligence tool, making no attempt to conceal its functionality. "This isn't triggered by npm install," Aikido noted. "It's a standalone tool the attacker runs with stolen tokens to maximize blast radius."
The Escalation to Self-Spreading
The most concerning aspect is the attack's evolution from "compromised account publishes malware" to "malware compromises more accounts and publishes itself." Every developer or CI pipeline that installs an infected package with accessible npm tokens becomes an unwitting propagation vector.
Eriksen described the escalation: "Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats."
Testing and Validation
In a telling development, the threat actor appears to have swapped the ICP backdoor payload for a dummy test string ("hello123") in the latest iteration. This suggests the attacker is validating the entire attack chain before deploying actual malicious payloads.
Technical Infrastructure
The ICP canister supports three methods:
- get_latest_link
- http_request
- update_link (allows threat actors to modify behavior)
This infrastructure enables real-time updates to all infected machines without requiring code changes to the implant itself.
The CanisterWorm attack demonstrates how supply chain compromises can evolve into sophisticated, self-propagating threats that leverage decentralized infrastructure and automation to maximize impact across the software ecosystem.
Comments
Please log in or register to join the discussion