- Hackers linked to the TeamPCP operation have unleashed a self-propagating malware worm called CanisterWorm across numerous npm packages.
- The worm uses an ICP canister on the Internet Computer blockchain as a resilient, decentralized command-and-control dead drop.
- This attack is a follow-on to a previous supply chain compromise that published malicious versions of the popular Trivy security scanner.
- Later worm variants automatically harvest npm authentication tokens from infected systems to propagate without any manual intervention from attackers.
A previously undocumented, self-propagating worm has compromised a large number of npm packages, according to research from Aikido Security. The malware, dubbed CanisterWorm by researcher Charlie Eriksen, marks the first documented abuse of an Internet Computer blockchain canister for cyber attacks.
Consequently, infected packages leverage a postinstall hook to deploy a Python backdoor. This backdoor contacts a tamperproof ICP canister acting as a dead drop resolver to fetch its command server URL. The decentralized infrastructure makes takedown efforts highly resistant.
Eriksen noted, “The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant.” Persistence is achieved via a disguised systemd service, which masquerades as PostgreSQL tooling to avoid detection. The configuration uses a “Restart=always” directive to reactivate the backdoor automatically.
Meanwhile, the operation is suspected to be the work of the cloud-focused cybercriminal group TeamPCP. This development follows their prior attack where they used a compromised credential to publish malicious Trivy scanner releases containing a credential stealer. The worm’s initial propagation relied on a standalone “deploy.js” script run manually with stolen npm tokens.
However, a subsequent variant found in “@teale.io/eslint-config” versions 1.8.11 and 1.8.12 automated this process. The new version’s postinstall script hunts for npm tokens on the victim’s machine and uses them to self-propagate. Eriksen said, “This is the point where the attack goes from ‘compromised account publishes malware’ to ‘malware compromises more accounts and publishes itself.'”
Interestingly, the attacker has used a YouTube link as a kill switch within the canister, making the implant dormant. Currently, the canister returns a rickroll YouTube video, but the threat actor can arm it at any time using the canister’s “update_link” method. As of writing, this is a developing story with further details pending.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
