CanisterWorm: The Self-Spreading npm Worm That Uses Blockchain to Stay Alive

Aikido Security detected CanisterWorm on March 20, 2026 at 20:45 UTC after dozens of npm packages across multiple organizations received unauthorized patch updates containing identical malicious code. The worm, deployed by the threat actor group TeamPCP, compromised at least 47 npm packages across the @EmilGroup, @opengov, @teale.io, @airtm, and @pypestream scopes. CanisterWorm is the first publicly documented npm malware to use an Internet Computer Protocol (ICP) blockchain canister as its command-and-control server, making it resistant to conventional takedown methods. The worm self-propagates: every infected developer machine or CI/CD pipeline becomes a new launch point.

The attack chain started with a compromised security scanner (Aqua Security’s Trivy), moved through stolen CI/CD credentials, and ended with a self-replicating worm that cannot be stopped by seizing a server. That progression from trusted tool to exponential infection is what makes this campaign different from prior npm supply chain attacks.

The Attack Chain: From Trivy to Blockchain C2

The campaign began on February 28, 2026 when an automated tool called hackerbot-claw exploited a misconfigured pull_request_target GitHub Actions workflow in Aqua Security’s Trivy repository. The exploit extracted a Personal Access Token with write access to all 33+ repositories in the Aqua Security organization. Aqua disclosed the breach on March 1 and rotated credentials, but the rotation was incomplete. TeamPCP retained access through tokens that survived the process.

On March 19, TeamPCP used the surviving credentials to push malicious commits over 75 of 76 version tags on trivy-action and 7 tags on setup-trivy. Every CI/CD pipeline that ran Trivy between March 19 and March 21 executed a credential stealer that harvested npm tokens, Kubernetes service account tokens, Docker registry credentials, database passwords, TLS private keys, and cryptocurrency wallet files. Those stolen npm tokens became the fuel for CanisterWorm’s propagation phase.

How the Worm Spreads Itself

CanisterWorm’s postinstall hook executes three actions on installation. First, it installs a persistent backdoor as a systemd user service named “pgmon” (disguised as PostgreSQL monitoring infrastructure) that survives reboots via Restart=always configuration. Second, it harvests every npm authentication token from the developer’s environment (.npmrc files, environment variables). Third, it launches deploy.js as a fully detached background process.

The deploy.js worm component queries npm to discover every package the stolen token can publish to. It increments the patch version of each discovered package, injects the CanisterWorm payload into the postinstall hook, and republishes with the –tag latest flag. Every developer or CI/CD pipeline that installs the newly infected package becomes a new victim and a new propagation vector. The cycle repeats without human intervention. This is how the @EmilGroup (28 packages) and @opengov (16 packages) scopes were infected from a single starting point.

The Blockchain C2 That Cannot Be Taken Down

The backdoor polls an ICP canister every 50 minutes using a spoofed browser user agent. An ICP canister is a tamperproof smart contract running on the Internet Computer blockchain, a decentralized network with no single host, no domain registrar, and no hosting provider to receive abuse complaints. Traditional takedown methods do not apply. Security teams cannot seize a blockchain smart contract. The infrastructure persists as long as the blockchain exists, which is by design indefinite.

The ICP canister returns a URL. If the URL contains “youtube.com,” the worm enters dormant mode. Otherwise, it downloads and executes whatever the URL points to. At the time of analysis, the canister returned a YouTube Rick Roll link, suggesting TeamPCP was testing the delivery chain before arming the payload. The plumbing works. The attackers validated the entire chain (token harvesting, worm spawning, systemd persistence, blockchain C2 polling) before deploying their real payload.

The Kubernetes Kill Switch

For victims running Kubernetes, the second-stage payload deploys a privileged DaemonSet named “host-provisioner-iran” with tolerations set to schedule on every node in the cluster. The payload includes kamikaze.sh, a wiper script that destroys data across all targeted cluster nodes. This is not ransomware. There is no recovery. The progression from credential theft to data destruction represents an escalation beyond the financial motivation typical of supply chain attacks. CISA issued an advisory noting the severity of the Kubernetes wiper component.

Why This Attack Succeeded

Detection and Remediation

Check for the systemd service file: ~/.config/systemd/user/pgmon.service. Check for Python processes named pglog or pg_state running from /tmp/. Review npm package publications for unexpected patch version bumps you did not authorize. Organizations that used Trivy in any CI/CD pipeline between March 19 and March 21 should treat every secret in that environment as compromised: rotate all tokens, review Kubernetes cluster access logs for unauthorized DaemonSet deployments, and pin dependencies by hash in lockfiles.

CanisterWorm makes the theoretical real. Self-propagating worms through developer credentials have been discussed in security research for years. This is the working implementation, spreading in production, with a C2 channel that the security community cannot shut down. The tools you trust to keep your code safe became the vector that compromised it.

Sources: The Hacker News, March 21, 2026; Aikido Security disclosure (Charlie Eriksen); Mend.io technical analysis; StepSecurity blog; Cloud Security Alliance research note; Socket supply chain research.

What This Means for the npm Ecosystem

CanisterWorm is the third major npm supply chain attack in March 2026 alone, following the Telnyx WAV steganography campaign and the LiteLLM PyPI credential stealer. TeamPCP has now compromised five ecosystems in nine days: Trivy, CanisterWorm npm packages, the Checkmarx KICS GitHub Action, LiteLLM on PyPI, and multiple Kubernetes clusters. The group reportedly collaborates with LAPSUS$ for extortion operations. This is not an isolated incident. It is a campaign with infrastructure, coordination, and escalating capability.

The npm registry processes over 400,000 package uploads per month. Its security model relies on publisher identity (tokens) rather than code integrity verification. When those tokens can be stolen from CI/CD pipelines at scale, the entire trust model collapses. Blockchain C2 infrastructure adds a dimension that existing defenses were not built to handle. Socket, Aikido, StepSecurity, and Mend.io detected and documented CanisterWorm within 48 hours. But the worm had already spread to 47+ packages before any defender noticed. In supply chain security, 48 hours is an eternity. The packages were installed. The tokens were stolen. The worm moved on.