Researchers linked a self propagating worm named CanisterWorm to the recent Trivy supply chain compromise, saying the malware chain has resulted in the compromise of 47 npm packages and can update payloads via an ICP canister.
KEY FACTS
- Incident compromise began after malicious Trivy releases were published
- Malware named CanisterWorm and uses a Python backdoor
- Propagation attackers used stolen npm tokens to publish infected packages
- Scope 47 npm packages including scoped packages in @EmilGroup and @opengov
- Persistence systemd user service hides as PostgreSQL tooling
In a technical analysis, Aikido Security reported that the worm uses an ICP canister as a decentralized dead drop resolver to distribute next stage payloads.
The infection chain installs a loader via a postinstall hook that drops a Python backdoor. The backdoor polls the canister every 50 minutes with a spoofed browser User Agent and retrieves a plaintext URL that points to the executable the attacker wants to run.
Persistence is established by a systemd user service configured with Restart=always and a five second delay. The service is named and presented as “pgmon” to mimic PostgreSQL tooling.
The canister supports methods to get and update the link, and the update capability lets the controller change the payload URL for all infected hosts.
Attackers used a manual “deploy.js” script with stolen tokens to push malicious versions to packages. A later variant embeds token collection in a postinstall “index.js” that runs a findNpmTokens function and immediately launches propagation in the background.
Operators also tested the chain by swapping the backdoor for a dummy string “hello123” and used a YouTube URL as a dormant state. A trojanized Trivy binary was observed reaching the same canister and returning a rickroll link at the time of analysis.
WHY IT MATTERS
The combination of a decentralized dead drop, automated persistence, and token theft lets the worm spread from developer machines and CI pipelines to new packages without further attacker interaction. Affected projects and users should remove compromised versions and rotate any exposed tokens.