The risk actors behind the provide chain assault focusing on the favored Trivy scanner are suspected to be conducting follow-on assaults which have led to the compromise of a lot of npm packages with a beforehand undocumented self-propagating worm dubbed CanisterWorm.
The identify is a reference to the truth that the malware makes use of an ICP canister, which refers to tamperproof good contracts on the Web Laptop blockchain, as a useless drop resolver. The event marks the primary publicly documented abuse of an ICP canister for the specific objective of fetching the command-and-control (C2) server, Aikido Safety researcher Charlie Eriksen mentioned.
The record of affected packages is beneath –
- 28 packages within the @EmilGroup scope
- 16 packages within the @opengov scope
- @teale.io/eslint-config
- @airtm/uuid-base32
- @pypestream/floating-ui-dom
The event comes inside a day after risk actors leveraged a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases containing a credential stealer. A cloud-focused cybercriminal operation referred to as TeamPCP is suspected to be behind the assaults.
The an infection chain involving the npm packages includes leveraging a postinstall hook to execute a loader, which then drops a Python backdoor that is chargeable for contacting the ICP canister useless drop to retrieve a URL pointing to the next-stage payload. The truth that the useless drop infrastructure is decentralized makes it resilient and immune to takedown efforts.
“The canister controller can swap the URL at any time, pushing new binaries to all contaminated hosts with out touching the implant,” Eriksen mentioned.
Persistence is established by the use of a systemd person service, which is configured to routinely begin the Python backdoor after a 5-second delay if it will get terminated for some purpose through the use of the “Restart=all the time” directive. The systemd service masquerades as PostgreSQL tooling (“pgmon”) in an try to fly beneath the radar.
The backdoor, as talked about earlier than, telephones the ICP canister with a spoofed browser Consumer-Agent each 50 minutes to fetch the URL in plaintext. The URL is subsequently parsed to fetch and run the executable.
“If the URL accommodates youtube[.]com, the script skips it,” Eriksen defined. “That is the canister’s dormant state. The attacker arms the implant by pointing the canister at an actual binary, and disarms it by switching again to a YouTube hyperlink. If the attacker updates the canister to level to a brand new URL, each contaminated machine picks up the brand new binary on its subsequent ballot. The previous binary retains working within the background because the script by no means kills earlier processes.”
It is value noting {that a} related youtube[.]com-based kill change has additionally been flagged by Wiz in reference to the trojanized Trivy binary (model 0.69.4), which reaches out to the identical ICP canister through one other Python dropper (“sysmon.py”). As of writing, the URL returned by the C2 is a rickroll YouTube video.
The Hacker Information discovered that the ICP canister helps three strategies – get_latest_link, http_request, update_link – the final of which permits the risk actor to switch the conduct at any time to serve an precise payload.
In tandem, the packages include a “deploy.js” file that the attacker runs manually to unfold the malicious payload to each bundle a stolen npm token supplies entry to in a programmatic vogue. The worm, assessed to be vibe-coded utilizing a synthetic intelligence (AI) instrument, makes no try to hide its performance.
“This is not triggered by npm set up,” Aikido mentioned. “It is a standalone instrument the attacker runs with stolen tokens to maximise blast radius.”
To make issues worse, a subsequent iteration of CanisterWorm detected in “@teale.io/eslint-config” variations 1.8.11 and 1.8.12 has been discovered to self-propagate by itself with out the necessity for guide intervention.
In contrast to “deploy.js,” which was a self-contained script the attacker needed to execute with the pilfered npm tokens to push a malicious model of the npm packages to the registry, the brand new variant incorporates this performance in “index.js” inside a findNpmTokens() perform that is run throughout the postinstall section to gather npm authentication tokens from the sufferer’s machine.
The primary distinction right here is that the postinstall script, after putting in the persistent backdoor, makes an attempt to find each npm token from the developer’s surroundings and spawns the worm straight away with these tokens by launching “deploy.js” as a completely indifferent background course of.
Curiously, the risk actor is alleged to have swapped out the ICP backdoor payload for a dummy check string (“hello123”), seemingly to make sure that your complete assault chain is working as meant earlier than including the malware.
“That is the purpose the place the assault goes from ‘compromised account publishes malware’ to ‘malware compromises extra accounts and publishes itself,'” Eriksen mentioned. “Each developer or CI pipeline that installs this bundle and has an npm token accessible turns into an unwitting propagation vector. Their packages get contaminated, their downstream customers set up these, and if any of them have tokens, the cycle repeats.”
(It is a growing story. Please verify again for extra particulars.)
