CanisterWorm Unleashed: How a Trivy Attack Spiraled into a Self-Propagating npm Malware Epidemic
In a chilling escalation of cyber warfare, threat actors initially targeting the widely used Trivy security scanner are now suspected of orchestrating a series of follow-on attacks. These sophisticated assaults have led to the compromise of a staggering 47 npm packages with a previously undocumented, self-propagating worm dubbed “CanisterWorm.” This development marks a significant shift in supply chain attack methodologies, introducing novel techniques that pose a formidable challenge to detection and takedown efforts.
The Genesis of the Attack: Trivy’s Compromise
Just a day prior to the emergence of CanisterWorm, the cybersecurity community was alerted to a critical breach involving the popular Trivy scanner. Threat actors, believed to be the cloud-focused cybercriminal operation TeamPCP, leveraged compromised credentials to publish malicious versions of trivy, trivy-action, and setup-trivy. These tainted releases contained a credential stealer, laying the groundwork for what would become a far more expansive and insidious campaign.
CanisterWorm’s Unique Modus Operandi: The ICP Canister Dead Drop
What sets CanisterWorm apart is its innovative use of an Internet Computer (ICP) canister as a “dead drop resolver.” ICP canisters are essentially tamper-proof smart contracts residing on the Internet Computer blockchain. This marks the first publicly documented instance of an ICP canister being exploited to fetch command-and-control (C2) server details, as highlighted by Aikido Security researcher Charlie Eriksen.
This decentralized infrastructure grants the malware exceptional resilience, making it highly resistant to conventional takedown attempts. Eriksen explains, “The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant.” This dynamic capability allows attackers to update their payloads on the fly, ensuring continuous control over compromised systems.
The Infection Chain: From Postinstall to Persistent Backdoor
The CanisterWorm infection chain within npm packages is meticulously designed. It begins by leveraging a postinstall hook to execute a loader. This loader then drops a Python backdoor, which is tasked with contacting the ICP canister dead drop. The canister, in turn, provides a URL pointing to the next-stage payload.
To ensure longevity, the malware establishes persistence through a systemd user service. This service is configured to automatically restart the Python backdoor after a mere 5-second delay if it’s ever terminated, utilizing the “Restart=always” directive. To further evade detection, the systemd service cleverly masquerades as legitimate PostgreSQL tooling, specifically “pgmon.”
The C2 Communication and the YouTube ‘Kill Switch’
The Python backdoor communicates with the ICP canister every 50 minutes, spoofing a browser User-Agent to fetch a plaintext URL. This URL is subsequently parsed to retrieve and execute the next-stage payload. Intriguingly, the attackers have incorporated a unique “kill switch” mechanism:
“If the URL contains youtube[.]com, the script skips it,” Eriksen revealed. “This is the canister’s dormant state. The attacker arms the implant by pointing the canister at a real binary, and disarms it by switching back to a YouTube link. If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes.”
This allows the threat actors to activate or deactivate the malware’s active payload delivery at will. A similar YouTube-based kill switch was also observed in connection with the trojanized Trivy binary (version 0.69.4), which also communicated with the same ICP canister via a Python dropper named “sysmon.py.” At the time of writing, the C2 was reportedly returning a rickroll YouTube video, indicating a dormant state.
The Hacker News further uncovered that the ICP canister supports three key methods: get_latest_link, http_request, and update_link. The update_link method grants the threat actor the power to modify the canister’s behavior at any moment, enabling them to serve an actual malicious payload.
The Evolution of Self-Propagation: From Manual to Autonomous
Initially, the CanisterWorm spread through a deploy.js file, which the attacker manually executed with stolen npm tokens to programmatically push malicious payloads to any package accessible with those credentials. This “vibe-coded” worm, possibly developed with AI tools, made no attempt to conceal its functionality.
However, the threat has rapidly evolved. A subsequent iteration of CanisterWorm, found in @teale.io/eslint-config versions 1.8.11 and 1.8.12, has achieved true self-propagation, eliminating the need for manual intervention. This new variant integrates the token-collection and spread functionality directly into its index.js file, specifically within a findNpmTokens() function that runs during the postinstall phase.
After installing the persistent backdoor, this advanced script actively seeks out npm authentication tokens from the developer’s environment. It then immediately spawns the worm with these newly acquired tokens by launching deploy.js as a fully detached background process. This means that any developer or CI pipeline installing an infected package with an accessible npm token inadvertently becomes a propagator of the worm.
Intriguingly, the threat actor temporarily swapped the ICP backdoor payload for a dummy test string (“hello123”), likely to validate the entire attack chain before deploying the actual malware. As Eriksen aptly puts it, “This is the point where the attack goes from ‘compromised account publishes malware’ to ‘malware compromises more accounts and publishes itself.'” The implications are severe: every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagator of the threat.
For more details, visit our website.
Source: Link
Leave a comment