A recent supply chain attack targeting the widely used Trivy vulnerability scanner has escalated into a broader compromise of the npm ecosystem, with security researchers uncovering a self-propagating malware dubbed CanisterWorm affecting at least 47 npm packages.
From Trivy Breach to npm Worm
The incident follows the earlier compromise of Trivy-related GitHub Actions, where attackers used stolen credentials to publish malicious versions of trivy, trivy-action, and setup-trivy containing credential-stealing code.
Security experts suspect a cloud-focused threat group known as TeamPCP is behind the operation.
Shortly after, researchers observed malicious activity spreading into npm packages, indicating a coordinated supply chain campaign.
47 npm Packages Compromised
The attack impacted multiple npm scopes and packages, including:
- 28 packages under @EmilGroup
- 16 packages under @opengov
- Additional packages such as:
- @teale.io/eslint-config
- @airtm/uuid-base32
- @pypestream/floating-ui-dom
How CanisterWorm Works
The infection chain is highly sophisticated and designed for persistence and scalability:
1. Initial Execution
- A malicious postinstall script runs automatically when the package is installed
- It deploys a loader, which installs a Python-based backdoor
2. Decentralized Command-and-Control
- The malware connects to an Internet Computer (ICP) canister
- This acts as a dead drop resolver to fetch the command-and-control (C2) server
This marks the first known abuse of ICP canisters for malware infrastructure, making the attack harder to disrupt.
Advanced Persistence Mechanism
The malware ensures long-term access by:
- Creating a systemd user service
- Disguising itself as PostgreSQL-related tooling (pgmon)
- Automatically restarting if terminated using
Restart=always
It also periodically (every ~50 minutes) checks for updated payloads from the attacker-controlled infrastructure.
Dynamic Payload Control
A notable feature of CanisterWorm is its flexible control mechanism:
- The attacker can change payload URLs remotely via the ICP canister
- Inactive mode uses a YouTube link as a kill switch
- Active mode delivers real malicious binaries
This allows attackers to activate or deactivate infections globally without redeploying malware.
Evolution Into a Self-Spreading Worm
Initially, the attack required manual execution using a script (deploy.js) and stolen npm tokens.
However, a newer variant discovered in @teale.io/eslint-config (v1.8.11 and 1.8.12) introduced full automation:
- Extracts npm tokens from infected systems
- Automatically spreads to other packages
- Runs propagation in the background without user interaction
This marks a critical shift from a targeted compromise to a self-propagating supply chain worm.
Why This Attack Is Dangerous
This campaign represents a significant escalation in supply chain threats:
- Infects developers and CI/CD pipelines
- Uses legitimate npm tokens to spread trust-based attacks
- Leverages decentralized infrastructure resistant to takedowns
- Enables continuous reinfection cycles
Any system installing affected packages with accessible npm credentials can unknowingly become a propagation node.
Conclusion
The Trivy supply chain compromise has evolved into one of the most advanced npm ecosystem attacks observed in recent times. With self-propagation, decentralized control, and credential abuse, CanisterWorm demonstrates how modern supply chain attacks can rapidly scale across developer environments.
Organizations are strongly advised to:
- Audit npm dependencies immediately
- Rotate exposed npm tokens
- Monitor CI/CD pipelines for unusual activity
- Remove affected packages and reinstall from trusted sources
