CANISTERWORM is a self-propagating npm worm deployed by the TeamPCP threat actor, described as a direct continuation of the Trivy compromise (v0.69.4). After attackers embedded a credential harvester in Trivy’s CI/CD toolchain and stole npm tokens from affected pipelines, they used those tokens to publish backdoored patch versions across every reachable namespace, including the @opengov scope (16+ packages).
Each compromised version installs a persistent Python backdoor via a postinstall hook, establishes a systemd user service for non-root persistence, and polls a command-and-control endpoint hosted on the Internet Computer blockchain, making takedowns difficult. A separate worm component harvests npm tokens from the victim and republishes the malware to every package it can reach, continuing the spread, which allowed the infection of the @emilgroup and @opengov scopes. The second-stage payload delivered via the C2 carries destructive Kubernetes capabilities and filesystem wipe logic for geopolitically targeted victims.