A sophisticated supply chain attack targeting the popular open-source vulnerability scanner Trivy has escalated into a widespread campaign, compromising at least 47 npm packages with a novel, self-propagating worm named CanisterWorm. Security researchers at Aikido Security, led by Charlie Eriksen, have uncovered that the threat actors, suspected to be the cloud-focused cybercriminal group TeamPCP, are leveraging a compromised credential to push malicious updates. This campaign represents a significant evolution in attack methodology, as it marks the first documented instance of malware using an ICP (Internet Computer Protocol) canister—a tamperproof smart contract on the Internet Computer blockchain—as a decentralized and resilient command-and-control (C2) dead drop resolver.
The infection chain begins when a user installs one of the compromised npm packages, such as malicious versions of `trivy`, `trivy-action`, or `setup-trivy`. These packages contain a postinstall script that automatically executes a loader upon installation. This loader deploys a Python-based backdoor, which is the core component of CanisterWorm. The backdoor's primary function is to contact the ICP canister every 50 minutes, using a spoofed browser User-Agent to fetch a plaintext URL. This URL points to the next-stage payload, which is then downloaded and executed on the infected host. The decentralized nature of the blockchain-based canister makes the C2 infrastructure exceptionally resistant to traditional takedown efforts, as the controller can dynamically update the target URL without modifying the implanted malware.
To ensure persistence, the worm establishes itself as a systemd user service, cleverly disguised as PostgreSQL tooling under the name "pgmon." This service is configured with the "Restart=always" directive, causing it to automatically restart after a 5-second delay if terminated. This mechanism allows the backdoor to maintain a foothold on compromised systems, continuously phoning home to the canister for new instructions or payloads. The ability to push new binaries to all infected hosts simultaneously, without direct interaction with the implants, provides the attackers with a powerful and stealthy update mechanism.
The implications of this attack are severe for the software development and DevOps communities. Trivy is widely used for scanning containers and dependencies for vulnerabilities, making its compromise a critical trust issue. Developers and organizations are urged to immediately verify the integrity of their Trivy installations and related npm dependencies, checking for unauthorized versions. Furthermore, this incident highlights a growing trend of attackers abusing decentralized technologies like blockchain to create robust, takedown-resistant attack infrastructure. Defenders must now consider monitoring for unusual network traffic to blockchain networks and scrutinizing postinstall hooks in open-source dependencies more rigorously than ever before.
