Researchers linked TeamPCP to CanisterWorm, noting that the worm harvests npm credentials and uses an Internet Computer Canister as a decentralized C2 to publish malicious updates across packages.

Persistence is achieved via a systemd user service that restarts the Python backdoor after termination and disguises itself as PostgreSQL tooling to avoid detection.

The backdoor periodically contacts an ICP canister for commands, with its canister methods enabling dynamic control changes at any time.

The malware harvested extensive credentials and sensitive data from victim environments, including host details, SSH keys, cloud and infrastructure credentials, environment files, database credentials, tokens, CI/CD configurations, TLS keys, VPN configs, and webhooks.

Attackers gained write access to the Trivy repository via compromised credentials, publishing malicious releases and force-pushing most tags in the aquasecurity/trivy-action repository.

Infection chain involves a postinstall hook that runs a loader, drops a Python backdoor, and contacts an ICP canister to fetch the next payload, with the canister able to swap targets to arm or disarm the implant.

The attack is attributed to TeamPCP, a cloud-native threat actor previously active against Docker, Kubernetes, and other cloud services.

A new CanisterWorm variant self-propagates by harvesting npm tokens from downstream packages and using those stolen tokens to spread across all packages accessible in CI/CD pipelines, creating a self-replicating infection vector.

The self-spreading worm has compromised a large number of npm packages following a supply chain attack on Trivy, with dozens affected across multiple scopes, including @EmilGroup and @opengov, plus other impacted packages.

Organizations using the affected Trivy versions are advised to treat their environments as fully compromised, rotate all secrets across cloud credentials, SSH keys, API tokens, and database passwords, and thoroughly audit for unauthorized activity.

Suspicious activity extended to developer machines where the trojanized Trivy binary enumerated local files for credentials and exfiltrated data encrypted in a tarball to a typosquatted C2 server; failed exfiltration was redirected to a public GitHub repository.

Immediate indicators of compromise include persistent backdoor state files, the ICP C2 URL, a token validation endpoint, and specific SHA-256 hashes for index.js and deploy.js.