New CanisterWorm Malware Targets npm Tokens In Supply Chain Campaign

Security experts have found a very advanced npm supply chain attack called CanisterWorm This article explores makes wormable threat. . The campaign, which was run by a threat actor known as "TeamPCP," successfully takes over real npm publisher namespaces.

The attackers put harmful payloads into SDK packages, which makes a wormable threat that spreads on its own throughout the npm ecosystem. Attack Mechanics and Propagation The infection lifecycle starts when a bad postinstall script in package.json runs during package installation and sets up a Python backdoor. To stay on Linux systems, the malware uses systemd-user to make a hidden background service called pgmon. CanisterWorm uses a decentralized method for command and control (C2) by constantly polling an Internet Computer Protocol (ICP) canister.

systemctl --user stop pgmon.service && systemctl --user disable pgmon.service This canister works as a dead-drop C2 channel, sending secondary payloads that the malware saves to /tmp/pglog and keeping track of its execution state in a /tmp/—pg_state file. The main goal of the first payload is to aggressively steal credentials. The malware looks for .npmrc files in local project folders, user home folders, and system-wide configurations to get _authToken values.

It also looks for the NPM_TOKEN and NPM_TOKENS environment variables to get higher permissions. rm -rf node_modules npm cache clean --force Once the worm gets the credentials it needs, it uses a script called deploy.js to spread on its own.

The script logs in to the npm registry, lists all the packages that the compromised user is in charge of, raises the patch version, and then sends the bad update to infect other users. Remediation and Compromised Packages Package Name Compromised Version X-Ray ID @emilgroup/discount-sdk 1.5.1 Unreported @emilgroup/document-uploader 0.0.10 Unreported @emilgroup/docxtemplater-util 1.1.2 Unreported @emilgroup/numbergenerator-sdk-node 1.3.1 Unreported @emilgroup/partner-portal-sdk 1.1.1 Unreported @emilgroup/setting-sdk 0.2.1 Unreported @emilgroup/task-sdk 1.0.2 Unreported @emilgroup/task-sdk-node 1.0.2 Unreported If your environment is exposed to this campaign, immediate containment is required to stop the worm from self-propagating using your credentials. To protect your environment, follow these important steps from jfrog: Change all of your npm publishing tokens and CI/CD secrets right away.

Make sure that the new credentials have strict expiration dates and granular access policies. To get rid of Linux persistence, run systemctl –user stop pgmon.

service && systemctl –user stop pgmon. service. To get rid of harmful staging artifacts, delete the following files: ~/.config/systemd/user/pgmon.service, ~/.local/share/pgmon/, /tmp/pglog, and /tmp/.pg_state.

Delete the node_modules folder, run npm cache clean --force, and lock package.json to known safe versions to get rid of infected dependencies. If your namespace was successfully hacked, you should manually unpublish any compromised patch versions from the npm registry to protect users who come after you. To stop future script execution attacks, run npm config set ignore-scripts true to turn off silent postinstall hooks for all packages. Recently, continuous threat intelligence monitoring found several package versions that were not previously reported as being linked to this campaign.

Below is a table that combines newly found and known compromised packages. You can use this table to check your dependencies.