Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

People who attacked the supply chain of the popular Trivy scanner are thought to be doing follow-up attacks that have compromised a lot of npm packages with a new self-propagating worm called CanisterWorm. The name comes from the fact that the malware uses an ICP canister as a dead drop resolver. ICP canisters are tamper-proof smart contracts on the Internet Computer blockchain.

According to Charlie Eriksen, a researcher at Aikido Security, this is the first time that an ICP canister has been used in public for the sole purpose of getting the command-and-control (C2) server.

There are 28 packages in the @EmilGroup scope that are affected. See the list below. There are 16 packages in the @opengov scope, including @teale.io/eslint-config, @airtm/uuid-base32, and @pypestream/floating-ui-dom.

The development comes just a day after hackers used a stolen credential to release malicious trivy, trivy-action, and setup-trivy releases that included a credential stealer. People think that TeamPCP, a group of cybercriminals that focuses on the cloud, is behind the attacks. The new version has this feature built into "index.js" in a findNpmTokens() function that runs during the postinstall phase to collect npm authentication tokens from the victim's machine. This is different from "deploy.js," which was a standalone script that the attacker had to run with the stolen npm tokens to push a bad version of the npm packages to the registry.

The main difference is that the postinstall script tries to find every npm token in the developer's environment after installing the persistent backdoor. It then uses those tokens to start the worm right away by running "deploy.js" as a completely separate background process. It's interesting that the hacker is said to have replaced the ICP backdoor payload with a fake test string ("hello123").

This was probably done to make sure that the whole attack chain is working as planned before adding the malware. "This is when the attack changes from 'compromised account publishes malware' to 'malware compromises more accounts and publishes itself,'" Eriksen said. "Any developer or CI pipeline that installs this package and has access to a npm token becomes an unwitting way for the package to spread."