A recent supply chain attack involving the widely used Trivy scanner has escalated into a broader cybersecurity incident, with threat actors deploying a self propagating malware known as CanisterWorm across multiple npm packages. Researchers indicate that the campaign initially stemmed from compromised credentials used to distribute malicious versions of trivy, trivy action, and setup trivy, which contained a credential stealer. The activity has been linked to a cloud focused cybercriminal group identified as TeamPCP, with subsequent operations expanding the attack surface significantly.
Security analysis reveals that the attackers leveraged npm package distribution channels to inject malicious code into dozens of libraries, including clusters under @EmilGroup and @opengov scopes, along with individual packages such as @teale.io/eslint config, @airtm/uuid base32, and @pypestream/floating ui dom. The infection chain begins with a postinstall hook that triggers a loader, ultimately deploying a Python based backdoor. This backdoor communicates with an Internet Computer blockchain component referred to as an ICP canister, which functions as a decentralized dead drop resolver. This mechanism allows the malware to retrieve command and control instructions dynamically, making takedown efforts more difficult due to its distributed nature.
The malware establishes persistence by configuring a systemd user service disguised as PostgreSQL related tooling under the name pgmon. This service ensures that the backdoor is automatically restarted if terminated, maintaining continuous access. The backdoor periodically connects to the ICP canister using spoofed browser identifiers to obtain a URL that hosts the next stage payload. Researchers observed that the attacker can manipulate the payload delivery by switching the canister output between inactive links such as youtube.com and active malicious binaries. This approach enables remote control over infected systems without modifying the deployed malware itself, allowing operators to activate or deactivate the campaign at will.
Further investigation uncovered a propagation mechanism embedded within a script named deploy.js, which uses stolen npm tokens to push malicious updates to additional packages accessible through compromised credentials. While this script initially required manual execution, a newer variant identified in @teale.io/eslint config versions 1.8.11 and 1.8.12 incorporates automated spreading capabilities. This version includes functionality to scan developer environments for npm authentication tokens during the postinstall phase and immediately reuse them to replicate the malware across other packages. As a result, any developer or CI pipeline installing the infected package and exposing tokens becomes an unintentional vector for further distribution, amplifying the reach of the attack.
Subsequent analysis by multiple security firms indicates that the campaign has continued to expand, with reports identifying over 141 malicious artifacts spanning more than 66 unique npm packages. Researchers describe the malware as both a credential harvesting tool and a delivery mechanism for additional payloads, highlighting how a single compromised account can trigger widespread ecosystem level impact. The use of decentralized infrastructure, automated token exploitation, and continuous propagation reflects a growing trend in software supply chain threats, where attackers increasingly rely on scalable techniques to maximize reach within developer communities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
