A large-scale supply chain attack targeting the widely used Trivy security scanner has escalated into a self-propagating malware campaign, infecting at least 47 npm packages with a newly identified worm known as CanisterWorm.
Security researchers report that the attackers are likely continuing their operations beyond the initial compromise, expanding the infection across multiple software ecosystems through automated propagation techniques.
Abuse of Blockchain Infrastructure for Malware Delivery
A key aspect of this attack is the misuse of the Internet Computer blockchain. The malware leverages an ICP canister, a tamper-resistant smart contract system, as a dead drop mechanism to fetch command and control (C2) instructions.
According to security researcher Charlie Eriksen from Aikido Security, this is the first known case where an ICP canister has been used specifically to retrieve a C2 server address.
This decentralized approach makes the attack highly resilient, as the attacker can dynamically update payload URLs without modifying the infected systems directly.
Affected npm Packages and Attack Scope
The malware has been observed in multiple package groups, including:
- 28 packages under the @EmilGroup scope
- 16 packages under the @opengov scope
- @teale.io/eslint-config
- @airtm/uuid-base32
- @pypestream/floating-ui-dom
The infection likely originated after attackers used stolen credentials to publish malicious versions of legitimate Trivy-related packages.
A threat group referred to as TeamPCP is suspected to be behind the campaign.
Infection Chain and Persistence Mechanism
The attack uses a multi-stage infection process:
- A malicious postinstall script executes automatically after package installation
- This script launches a loader that deploys a Python-based backdoor
- The backdoor communicates with the ICP canister to retrieve the next-stage payload
Persistence is achieved through a systemd user service, disguised as PostgreSQL-related tooling. This service ensures the malware restarts automatically if terminated.
The backdoor repeatedly checks the canister every 50 minutes using a spoofed browser identity, retrieving updated instructions or payloads.
Dynamic Payload Delivery and Control
The attacker controls the malware through the ICP canister, which includes methods such as:
- get_latest_link
- http_request
- update_link
This allows the threat actor to instantly switch payloads or pause activity. For example, the malware can be disabled by pointing to a benign YouTube URL, while switching back activates the malicious payload.
Researchers also observed that a similar mechanism was previously used in a trojanized Trivy binary, which connected to the same infrastructure.
Self-Propagation Through npm Tokens
A more advanced variant of CanisterWorm removes the need for manual execution by fully automating the propagation process.
This version:
- Extracts npm authentication tokens from developer environments
- Uses these tokens to publish infected packages
- Runs propagation logic automatically during installation
This turns every infected developer machine or CI pipeline into a propagation node, allowing the worm to spread exponentially across software supply chains.
Escalation of the Attack
The evolution of this malware marks a shift from traditional supply chain attacks to autonomous self-replicating threats.
Security experts warn that:
- Each infected package can compromise new environments
- Those environments can spread the malware further
- The cycle continues automatically if credentials are present
This makes the attack extremely difficult to contain and highlights the growing risks of compromised developer credentials in modern software ecosystems.
(This is a developing story. Please check back for more details.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
