Socket's Threat Research Team uncovered a worm-enabled npm supply chain attack dubbed CanisterWorm, affecting 29+ packages across legitimate publisher namespaces @emilgroup and @teale.io. Attackers obtained npm publishing tokens, replaced legitimate package contents with malicious code, and used a deploy.js worm script to republish the backdoor across all packages reachable by the compromised credentials. The implanted Python backdoor establishes persistence via a systemd user service named pgmon, then polls an Internet Computer Protocol (ICP) canister as a dead-drop C2 channel to fetch and execute rotating second-stage payloads stored in /tmp/pglog. The attack evolved in phases: an initial staging phase with dynamic payload loading, followed by a weaponized phase with a hardcoded dropper. The worm also harvested npm tokens from .npmrc and environment variables to enable autonomous propagation, and published malicious releases with --tag latest to maximize downstream installation.
Table of contents
Worm-Enabled npm Supply Chain Attack #How the Attack Works #Indicators of Compromise (IOCs) #Sort: