The menace actors behind the provision chain assault concentrating on the favored Trivy scanner are suspected to be conducting follow-on assaults which have led to the compromise of a lot of npm packages with a beforehand undocumented self-propagating worm dubbed CanisterWorm.
The identify is a reference to the truth that the malware makes use of an ICP canister, which refers to tamperproof good contracts on the Web Pc blockchain, as a useless drop resolver. The event marks the primary publicly documented abuse of an ICP canister for the express goal of fetching the command-and-control (C2) server, Aikido Safety researcher Charlie Eriksen mentioned.
The checklist of affected packages is under –
- 28 packages within the @EmilGroup scope
- 16 packages within the @opengov scope
- @teale.io/eslint-config
- @airtm/uuid-base32
- @pypestream/floating-ui-dom
The event comes inside a day after menace actors leveraged a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases containing a credential stealer. A cloud-focused cybercriminal operation referred to as TeamPCP is suspected to be behind the assaults.
The an infection chain involving the npm packages entails leveraging a postinstall hook to execute a loader, which then drops a Python backdoor that is accountable for contacting the ICP canister useless drop to retrieve a URL pointing to the next-stage payload. The truth that the useless drop infrastructure is decentralized makes it resilient and immune to takedown efforts.
“The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant,” Eriksen mentioned.
Persistence is established via a systemd person service, which is configured to robotically begin the Python backdoor after a 5-second delay if it will get terminated for some motive by utilizing the “Restart=always” directive. The systemd service masquerades as PostgreSQL tooling (“pgmon”) in an try and fly beneath the radar.
The backdoor, as talked about earlier than, telephones the ICP canister with a spoofed browser Person-Agent each 50 minutes to fetch the URL in plaintext. The URL is subsequently parsed to fetch and run the executable.
“If the URL contains youtube[.]com, the script skips it,” Eriksen defined. “This is the canister’s dormant state. The attacker arms the implant by pointing the canister at a real binary, and disarms it by switching back to a YouTube link. If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes.”
It is price noting {that a} related youtube[.]com-based kill change has additionally been flagged by Wiz in reference to the trojanized Trivy binary (model 0.69.4), which reaches out to the identical ICP canister through one other Python dropper (“sysmon.py”). As of writing, the URL returned by the C2 is a rickroll YouTube video.
The Hacker Information discovered that the ICP canister helps three strategies – get_latest_link, http_request, update_link – the final of which permits the menace actor to change the habits at any time to serve an precise payload.
In tandem, the packages include a “deploy.js” file that the attacker runs manually to unfold the malicious payload to each package deal a stolen npm token gives entry to in a programmatic trend. The worm, assessed to be vibe-coded utilizing a synthetic intelligence (AI) device, makes no try to hide its performance.
“This isn’t triggered by npm install,” Aikido mentioned. “It’s a standalone tool the attacker runs with stolen tokens to maximize blast radius.”
To make issues worse, a subsequent iteration of CanisterWorm detected in “@teale.io/eslint-config” variations 1.8.11 and 1.8.12 has been discovered to self-propagate by itself with out the necessity for handbook intervention.
In contrast to “deploy.js,” which was a self-contained script the attacker needed to execute with the pilfered npm tokens to push a malicious model of the npm packages to the registry, the brand new variant incorporates this performance in “index.js” inside a findNpmTokens() perform that is run through the postinstall section to gather npm authentication tokens from the sufferer’s machine.
The primary distinction right here is that the postinstall script, after putting in the persistent backdoor, makes an attempt to find each npm token from the developer’s atmosphere and spawns the worm straight away with these tokens by launching “deploy.js” as a totally indifferent background course of.
Apparently, the menace actor is claimed to have swapped out the ICP backdoor payload for a dummy check string (“hello123”), doubtless to make sure that the complete assault chain is working as meant earlier than including the malware.
“This is the point where the attack goes from ‘compromised account publishes malware’ to ‘malware compromises more accounts and publishes itself,'” Eriksen mentioned. “Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats.”
(It is a creating story. Please verify again for extra particulars.)
