A threat actor who stole credentials from a legitimate node package manager (npm) publisher has spread a persistent, worm-like malware across dozens of packages, security firms say.
Named CanisterWorm by Aikido Security and Socket, the malware has now been updated to be self-propagating, and has compromised nearly 50 npm packages.
The attackers have deployed what the researchers say is their first observed malware campaign to use a decentralised Internet Computer Protocol (ICP) canister, as its command and control (C2) dead drop.
ICP canisters are applications that are part of a decentralised blockchain network, created by Switzerland’s Dfinity Foundation.
As the C2 channel that attackers send instructions to compromised systems is through the distributed blockchain immutable database, it makes the malware resilient to takedown efforts and seizures.
Researcher Charlie Eriksen at Aikido who analysed CanisterWorm, said the ICP backdoor payload has been swapped out for “hello123”, a dummy test string that decodes to garbage bytes, following a code update.
“When systemd tries to run it as Python, it crashes immediately, but with “Restart=always” set the service silently restarts every five seconds,” Eriksen wrote.
“The attacker shipped the plumbing first to validate the full chain (token harvesting, worm spawning, systemd persistence) before arming it with the real payload.
“If this had shipped with the full ICP backdoor, every compromised developer’s packages would have become a new infection vector. The plumbing works. They just haven’t turned the faucet on yet,” Eriksen added.
CanisterWorm appears tailored primarily for Linux environments, using the systemd service manager for persistence, suggesting a focus on continuous integration and delivery (CI/CD) pipelines and cloud-hosted build systems.
Oddly enough, CanisterWorm doesn’t appear to deliver a functional payload so far through its Python language implant.
The Python code acts as a persistent backdoor into compromised systems that polls the decentralied C2 channel, but the CanisterWorm only returned a YouTube Rick Roll link through the ICP canister.
The worm does have a delivery mechanism and can activate a secondary payload to fetch a binary, mark it as executable and run it as a detached process, the security vendors say.
Security vulnerability scanner Trivy hack link to CanisterWorm creator
Aikido observed that the CanisterWorm attack emerged after the compromise on Aqua Security’s Trivy open source vulnerability scanner, which is widely used in CI/CD pipelines, to check container images and code.
Trivy was already compromised earlier this month, when an attacker exfiltrated credentials from its CI environment; while the credentials were rotated, it is believed the attacker may have retained access to newly issued ones.
Aikido assessed that the CanisterWorm attacker may in fact be the same threat actor as the one that struck Trivy, named TeamPCP.
The name comes from the code in a comprehensive filesystem credentials harvester, which read “TeamPCP Cloud stealer”.
Security vendor Wiz, which was recently acquired by Google, also analysed the Trivy compromise and attributed it to TeamPCP through artefacts it found.
Socket’s analysis supported the malware mechanics, but the security vendor stopped short of a firm attribution of the threat actor.
TeamPCP’s stealer targets secure shell (SSH) keys, Amazon Web Services, Google Cloud Platform and Microsoft Azure credentials.
It also tries to exfiltrate Kubernetes service account tokens, Docker registry credentials, database passwords, .npmrc tokens, command shell histories, and transport layer security (TLS) private keys.
Furthermore, it would attempt to steal cryptocurrency wallet files that include Solana validator keypairs.
GlassWorm returns
Another supply chain worm with self-replicating code, GlassWorm, which first appeared in 2025, has also made headlines recently as it struck more than 430 GitHub projects, the Open Source Malware community threat database reported last week.
Researchers from Aikido, Step Security and Socket have documented a new malware campaign featuring GlassWorm, which uses the Solana cryptocurrency blockchain for memos that contain a C2 server URL.
By using Unicode characters that are invisible to humans for JavaScript code, GlassWorm downloads an infostealer.
This targets browser-based cryptocurrency wallet extensions, stored credentials, SSH keys and session tokens.
GlassWorm has been tracked across NPM packages, GitHub repositories, and VS Code extensions.
Security researchers believe it is the same threat actor which aims to geofence off Russian-language environments, in all the GlassWorm attacks they have tracked.
