Trivy Supply Chain Attack Spreads CanisterWorm via 47 npm Packages

A sophisticated Supply Chain Attack targeting the widely deployed Trivy vulnerability scanner has expanded into a broader campaign involving a self-propagating worm. According to The Hacker News, technical evidence suggests that the threat actors behind the initial Trivy compromise are now deploying a malware variant dubbed CanisterWorm. This malware has successfully infiltrated at least 47 npm packages, using them as a launchpad for further infection across the open-source ecosystem.

Technical Analysis of CanisterWorm Propagation

The TTP identified in this campaign demonstrates a high level of automation. CanisterWorm is designed to scan the local environment of a compromised system—typically a CI/CD runner or a developer workstation—for sensitive credentials. Specifically, it targets npm authentication tokens and environment variables associated with container registries. Once these credentials are harvested, the worm automatically injects its malicious payload into the legitimate source code of any accessible repositories and attempts to publish updated, infected versions of the packages.

This self-propagating nature allows the malware to move horizontally across different organizations that share dependencies. The initial infection vector leveraging Trivy is particularly effective because security scanners often require high-level permissions to inspect filesystem layers and container images. If the scanner itself is compromised, it provides the attacker with a privileged vantage point to bypass traditional EDR and runtime protection mechanisms.

The Role of ICP Canisters in C2 Infrastructure

A unique aspect of CanisterWorm is its use of Internet Computer Protocol (ICP) canisters for command-and-control. ICP canisters are essentially tamperproof smart contracts that run at web speed. By hosting the C2 logic on a decentralized blockchain infrastructure, the attackers ensure that their control server is highly resilient against traditional takedown efforts. This approach complicates the work of SOC analysts, as traffic to ICP gateways may appear as legitimate blockchain-related activity rather than malicious beaconing.

How to Detect CanisterWorm in CI/CD Pipelines

Detecting this threat requires a multi-layered approach that focuses on both the integrity of build tools and the behavior of automated service accounts. Organizations should prioritize the following detection strategies:

• Audit npm Publish Logs: Monitor for unexpected package versions or publishing timestamps that do not align with verified deployment schedules.
• Network Baseline Analysis: Identify anomalous outbound connections to ICP gateway domains (e.g., ic0.app) originating from build servers that have no legitimate reason to interact with decentralized protocols.
• Credential Rotation: Treat any npm package compromise as a signal to rotate all secrets stored in CI/CD environment variables.

Effective detection also involves integrating IoC data into existing SIEM platforms. Defenders should map identified CanisterWorm behaviors to the MITRE ATT&CK framework, specifically focusing on Software Discovery (T1518) and Supply Chain Compromise (T1195.002).

Remediation and Long-Term Mitigation

The immediate priority for affected organizations is the Trivy supply chain attack mitigation process. This involves pinning scanner versions to known-good hashes and moving toward ephemeral, short-lived credentials for all automated processes. While no specific CVE has been assigned to this particular worm’s propagation method yet, the underlying risk stems from the over-provisioning of secrets in automated workflows.

Organizations must implement a Zero Trust architecture within their build environments. By limiting the scope of npm tokens to specific IP ranges and requiring multi-factor authentication for package publication, the automated Lateral Movement capabilities of CanisterWorm can be significantly curtailed. Security teams should also perform a deep audit of their dependency trees to ensure that none of the 47 compromised npm packages are currently being utilized in production environments.