A recently discovered campaign of malicious npm packages uses installation scripts to steal developer credentials and deploy a self-propagating worm that infects the victim's own software portfolio. The worm, dubbed CanisterWorm, represents a significant escalation in supply chain attacks. Rather than simply compromising a single package and waiting for downloads, this one was dynamic, actively seeking new hosts and spreading autonomously.
The credentials that seeded the initial infection wave were stolen hours earlier through a separate, high-impact supply chain attack on Trivy, Aqua Security's widely-used open-source vulnerability scanner. TeamPCP exploited a GitHub Actions misconfiguration involving a pull_request_target workflow that exposed a Personal Access Token (PAT). Using that stolen token, the attacker force-pushed malicious commits over 75 of 76 version tags on aquasecurity/trivy-action and 7 tags on aquasecurity/setup-trivy, effectively replacing the legitimate scanner with a credential harvester across thousands of CI/CD pipelines.
How the Worm Spreads
The mechanics are simple but effective. The attack propagates by scraping npm authentication tokens from infected developer environments and using them to automatically publish malicious versions of other accessible packages in the registry. When a developer installs a compromised package, the malware extracts their npm credentials and automatically republishes other packages they maintain with the same malicious code. This is the point where the attack goes from 'compromised account publishes malware' to 'malware compromises more accounts and publishes itself.' Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats.
The scope of the damage is still unfolding. The breach has impacted numerous npm packages, including 28 from the @EmilGroup scope, 16 from the @opengov scope, and others like @teale.io/eslint-config and @airtm/uuid-base32. Researchers detected the attack on 20 March 2026, but the actual scale of infected packages across the registry may be much larger.
Decentralised Command and Control
What makes CanisterWorm unusual is its infrastructure choice. CanisterWorm is a self-propagating malware that uses Internet Computer Protocol (ICP) blockchain canisters as a tamper-proof method to resolve its command-and-control (C2) server addresses. Rather than relying on a server that can be seized or taken offline, the C2 infrastructure cannot be taken down through a conventional takedown request, making CanisterWorm the first publicly documented npm worm to use this technique.
Ironically, the malware is currently inert. The ICP backdoor payload was swapped out for hello123, a dummy test string that decodes to garbage bytes. When systemd tries to run it as Python, it crashes immediately, but with Restart=always set the service silently restarts every 5 seconds. The attacker shipped the plumbing first to validate the full chain (token harvesting, worm spawning, systemd persistence) before arming it with the real payload. The attacker can activate the malware by directing the canister to a legitimate binary, and deactivate it by reverting to a YouTube link.
A Test Run with Real Consequences
The current payload serves a rickroll video link, suggesting the attackers are still validating the full chain before deploying a true payload. This test phase carries real risk: any developer or pipeline operator who installed a compromised package during this window has had their credentials stolen. Organizations that use Trivy for vulnerability scanning in their pipelines should treat any tokens present in those environments between March 19 and March 21, 2026, as potentially compromised.
The speed and sophistication of the campaign point to a well-resourced operation. TeamPCP is assessed to be a cloud-focused cybercriminal operation with demonstrated capability across GitHub Actions exploitation, npm registry abuse, and credential harvesting at scale. The Trivy attack and CanisterWorm campaign were executed within a 24-hour window, and the npm tokens harvested from the Trivy compromise directly seeded the initial wave of infections.
The incident illustrates a fundamental vulnerability in how modern software gets built. Security tools like Trivy are trusted implicitly and run with elevated permissions in CI/CD pipelines. When those tools themselves are compromised, the blast radius extends far beyond a single package to every developer or organisation using them. The real question now is whether the ecosystem will strengthen its defences before the attackers activate the actual payload sitting in that decentralised command server.