Following Trivy's compromise, StepSecurity's AI Package Analyst flagged suspicious new releases across multiple npm scopes — revealing CanisterWorm, a self-propagating npm worm deployed by the TeamPCP threat actor. The worm is a direct continuation of the second Trivy compromise (v0.69.4): attackers embedded a credential harvester in Trivy's CI/CD toolchain, stole npm tokens from affected pipelines, then used those tokens to publish backdoored patch versions across every namespace they could reach — including the @opengov scope (16+ packages).

StepSecurity

CanisterWorm is a self-propagating npm worm deployed by the TeamPCP threat actor, discovered following the compromise of Trivy v0.69.4. Attackers embedded a credential harvester in Trivy's CI/CD toolchain, stole npm tokens from affected pipelines, then used those tokens to publish backdoored patch versions across multiple npm scopes including @opengov (16+ packages). Each compromised package installs a persistent Python backdoor via a postinstall hook, establishes a systemd user service for persistence without root, and polls a C2 endpoint hosted on the Internet Computer blockchain — making it resistant to takedown. A worm component harvests npm tokens from victim machines and autonomously republishes the malware to every reachable package. A second-stage payload includes destructive Kubernetes capabilities targeting geopolitically specific victims. Indicators of compromise, remediation steps, and detection methods via StepSecurity's tooling are provided.

CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem