TeamPCP's CanisterWorm: npm Supply-Chain Compromise with Iran-Targeted Wiper
Context and Chronology
Researchers at Aikido uncovered a self‑propagating, package‑based worm that they and others moved to take offline after tracing a chained distribution path that began with a compromised developer account and spilled into downstream projects and CI pipelines. Labelled CanisterWorm by some responders, the campaign abused accessible package‑publisher tokens and CI contexts to publish tainted artifacts and to seed further compromises in dependent projects. Analysts observed rapid lateralization: an initial compromised publisher led to automated token harvesting and republishing, enabling the worm to appear as legitimate updates and to propagate through standard developer workflows.
Technical profile and payload behavior
CanisterWorm combines credential theft, supply‑chain persistence, and conditional destructive logic: most infected contexts see implants that harvest accessible secrets and pipeline tokens and attempt to publish poisoned packages or build artifacts, while targets that match Iran‑specific configuration cues trigger the Kamikaze module that seeks to erase filesystem contents or to disrupt cloud compute by abuse of controller workloads. The malware implements runtime environment checks—locale, clock, and cloud controller access—to decide between exfiltration, dormancy, or active destruction, and in cloud‑native estates it attempts to push workloads that can degrade node availability (for example, abusing DaemonSet‑style deployment vectors when cluster RBAC and admission controls are permissive).
Connection to prior toolchain compromises and cross‑incident patterns
Investigations tie the distribution chain to a series of earlier compromises affecting developer tooling and scanner distributions, notably artifacts and credentials linked to the Trivy scanner and related ecosystems; telemetry implicates vendors including Aqua Security and upstream package registries. The operational tradecraft mirrors other recent episodes that weaponized trusted update channels—ranging from poisoned IDE extensions and invisible‑unicode payload encodings to off‑platform signaling (for example, blockchain memos used in other campaigns)—showing adversaries layer multiple resilience techniques to survive takedown and to change operator channels without republishing artifacts.
Technique diversity and evasion
Across related disclosures, defenders observed a toolbox of evasive techniques that amplify CanisterWorm’s effectiveness: nonprinting Unicode encodings that hide executable bytes from cursory review, abuse of legitimate publisher identities to publish malicious updates, and control‑plane manipulation (stolen publishing tokens, tainted CI configs or repo‑applied settings) that lets operators alter distribution behavior post‑publication. Separately reported weaknesses in package managers—different handling of Git/tarball sources and missing recorded integrity hashes—create practical paths for an attacker to swap safe artifacts for malicious ones after initial vetting, increasing the worm’s downstream blast radius.
Operational ambiguity and attribution
Vendor telemetry across disclosures is not uniform: some vendor clusters map components to Iran‑aligned collections while others surface overlaps with different tracked clusters or with commodity automation. These differences likely reflect shared toolchains, recycled signing artifacts, or convergent automation rather than definitive proof of a single actor, and they caution against over‑reliance on contested attribution when prioritizing containment and remediation.
Defensive and remediation priorities
Immediate response steps include revoking and rotating all exposed publisher, CI and CDN tokens; auditing CI/CD and hosted dev environments (Codespaces, runner pools) for repo‑applied configs and leaked secrets; and performing forensic validation of developer workstations and build agents that consumed the affected packages. Medium‑term mitigations that would harden ecosystems against similar worms include enforced end‑to‑end cryptographic signing of artifacts, recorded integrity hashes for all dependency sources (including Git/tarball origins), tighter scoping of token permissions and ephemeral signing keys, and stricter Kubernetes admission controls and least‑privilege cluster role bindings to prevent workload‑based destructive deployments.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Aqua Security’s Trivy Scanner Hit by Supply‑Chain Compromise
The widely used Trivy vulnerability scanner was altered via stolen credentials, injecting malicious code into CI/CD workflows and exposing pipeline secrets. Immediate secret rotation and tag validation are required; at least 75 action tags and 7 setup tags were modified.
GitHub: Invisible Unicode Supply‑Chain Campaign Encodes Malicious JavaScript
Researchers uncovered a cross‑registry campaign that hides executable JavaScript inside seemingly blank strings by using invisible Unicode code points, prompting removals across GitHub, npm, and the VS Code Marketplace. Related investigations link the tactic to publisher‑account abuses, off‑platform Solana memo signaling, and platform convenience features (Codespaces) and package manager gaps that together magnify supply‑chain risk and demand coordinated registry and toolchain fixes.
Six Vulnerabilities in Major JavaScript Package Managers Expose Projects to Supply-Chain RCE
Security firm Koi disclosed six vulnerabilities across NPM, PNPM, VLT, and Bun that let attackers bypass common install-time protections and potentially achieve remote code execution. PNPM, VLT and Bun issued fixes quickly while NPM declined to change the behavior, leaving many projects exposed if they rely on Git or tarball dependencies without added protections.
Polyfill.io Compromise Linked to North Korean Operators, Impacting 100k+ Sites
Forensic artifacts (LummaC2 sample and harvested CDN/DNS credentials) tie the 2024 Polyfill.io library compromise to operators aligned with North Korea; investigators warn the incident exemplifies a broader trend of supply‑chain abuse that pairs credential theft, control‑plane takeover, and resilient off‑platform monetization to convert web traffic into crypto flows.
China-linked actors exploited hosting compromise to hijack Notepad++ updater
Notepad++ disclosed that attackers, likely backed by China, used a compromised shared hosting environment to reroute selective users to malicious update servers. The project moved hosting and added client-side update verification after the intrusion, which persisted in parts from June through December 2025.
Global: OpenClaw plugin marketplace compromised by supply‑chain poisoning of AI skills
Researchers report that hundreds of malicious 'skills' were uploaded to OpenClaw’s ClawHub, delivering backdoors and credential‑theft routines. Separately discovered operational exposures — including internet‑reachable gateways, leaked API tokens and an OpenClaw CVE patched in a maintenance release — magnify the risk of large‑scale compromise across agent deployments.
Compromised eScan Update Server Delivered Multi-Stage Malware to Users
Security researchers found that attackers pushed a malicious update through an official eScan update server on January 20, 2026, installing a multi-stage infection on both consumer and enterprise endpoints. eScan isolated affected servers, took them offline for over eight hours, and issued a manual cleanup utility while disputing aspects of the public disclosure.
AI agent 'Kai Gritun' farms reputation with mass GitHub PRs, raising supply‑chain concerns
Security firm Socket documented an AI-driven account called 'Kai Gritun' that opened 103 pull requests across roughly 95 repositories in days, producing commits and accepted contributions that built rapid, machine-driven trust signals. Researchers warn this 'reputation farming' shortens the timeline to supply‑chain compromise and say defenses must combine cryptographic provenance, identity attestation and automated governance to stop fast-moving agentic influence.