CanisterWorm a self-drop worm that redefines npm security with Internet Computer canisters

In recent days the community of developers has received a serious alert: a chain of engagement initiated in the popular Trivy scanner seems to have derived into a wave of manipulated npm packages that host an self-replicating worm never before documented, baptized by researchers as CanisterWorm. Far from being a classic infection, this attack combines traditional malware techniques with a new piece: the use of a canister of the Internet Computer (ICP) block chain as a decentralized dead drop to manage command and control.

According to the analysis published by the Aikido Security research team, the initial intrusion took advantage of committed credentials to publish malicious versions of Trivy-related projects (including trivy, trivy-action and setup-trivy) containing a credental stealer. From there the attackers, provisionally attributed to the operation known as TeamPCP by intelligence firms such as Cyble they began to spread code capable of installing a backdoor in Python, establish persistence and regularly contact the ICP canister to download the next stage of the attack.

The technical mechanics is disturbing for its robustness: during the installation the malicious package runs a post-install hook that launches a charger. This charger leaves a backdoor in Python that, in addition to being active thanks to a system service configured with Restart = always, consult the ICP canister every 50 minutes using a forged User-Agent. The canister responds with a flat text URL that points to the binary to download and run. Canister control is particularly problematic because, as a decentralized infrastructure, it is resistant to classic mitigation actions: the canister controller can change the URL to deploy new loads without retouching the infected equipment.

The researchers also noticed a curious "switch" used by the attackers: if the URL that returns the canister contains youtube [.] com, the dropper ignores it and does not download anything, working as well as latency. At the time the analysis was reported, the active URL was a joke video (a typical "rickroll"), but the canister has methods to update the link and serve a real binary at any time. The public board of the canister and the methods presented by it (such as get _ latest _ link and update _ link) were verified by analysts and confirm the ability to change the behavior on the go.

The pollution dimension of the npm ecosystem is significant: dozens of affected packages have been detected, including 28 packages under the scope @ EmilGroup and 16 low @ opengov, in addition to specific names such as @ teale.io / eslint-config, @ airtm / uuid-base32 and @ pyptentam / floating-ui-dom. In a first version of the campaign the attacker used a tool called "deploy.js" manually executed with stolen tokens npm to publish compromised versions of multiple packages and expand its impact radius. This variant was already dangerous: an operator with valid tokens can, programmatically and on a large scale, publish infected packages and compromise the supply chain of projects that depend on them.

What further increases the gravity of the incident is that an evolution of the worm was observed towards a completely autonomous behavior. In recent malicious versions (e.g., in @ teale.io / eslint-config v1.8.11 and v1.8.12) the propagation logic was incorporated directly into index.js. There is a function that seeks tokens npm in the environment of the developer during the post-installation and launches the very routine of deployment in the background, thus transforming the infection into a true Worm that no longer requires manual execution of the attacker to climb: any development machine or CI channel that install the package and has an accessible token can become a new publication vector for more infected packages.

The details of persistence and camouflage are practical and unsophisticated at the same time: the system service is used as a PostgreSQL tool called "pgmon" to avoid raising suspicion, and the backdoor does not kill old processes when adopting a new URL, which means that previous versions remain in operation. Aikido also reports that the author tested the spread flow with a test chain ("hello123") before putting in a real binary, a usual strategy to ensure that the entire infection chain works before activating the actual malicious load.

Faced with this threat, the response for developers and security equipment must be rapid and multifaceted. It is essential to revoke and rotate committed tokens npm immediately and to review the integration of the CI pipelines to ensure that they do not store tokens with unnecessary permits. The accounts and credentials used to publish packages should be audited, and it is appropriate to inspect the development environments and runners by signs of persistence: systemd services with suspicious names in the user space, files such as deploy.js, index.js with tokens capture logic, and Python processes that perform regular connections to unusual domains or endpoints. To understand and mitigate the risk of tokens in npm, official tokens documentation can serve as a guide, for example the npm tokens page.

It should also be recalled that this attack combines remote communication elements with unconventional infrastructures; it is therefore useful to know the concept of "dead drop solve" within the MITRE ATT & CK framework ( T1102.001) and how Internet Computer canisters are being used here as that type of channel resistant to the bottom. The canisters' own documentation helps to understand why their tamper-proof and decentralization make them attractive to such abuses: PCI documentation.

For response teams and critical infrastructure, practical measures include blocking affected versions at the registration level or internal feed, purging compromised hash and lockfiles units, auditing supply chains with unit analysis tools and implementing policies that minimize the exposure of credentials in runners and build images. GitHub and other suppliers have guides on how to protect tokens and secrets in pipelines; reviewing and applying good secret management practices is key to limiting the blast radius of such attacks ( GitHub's guide to tokens and secrets).

The CanisterWorm campaign highlights several worrying trends: the increasing sophistication of criminal operations in the software supply chain, the re-use of decentralized infrastructure to make remote malware control more resilient, and the ease with which tokens and publishing access can transform a committed account into a damage multiplier. Public analyses - such as Aikido Security's technical report documenting these findings - are valuable resources for understanding telemetry and commitment indicators and can be consulted for detailed technical information ( Aikido analysis).

We are facing an active development: the defenses must move quickly to neutralize malicious publications, remove infected packages from the public register and cut off the access of the attackers. Meanwhile, the developer community must assume that any committed package can be an entry door for an automatic spread and act accordingly: audit dependencies, rotate exposed credentials and harden pipelines. The combination of surveillance, rotation of credentials and less privileged policies remains the best defence against such threats that take advantage of the inherent confidence in the open source ecosystem.