CanisterWorm
CanisterWorm is a self-propagating npm supply-chain worm associated with the TeamPCP threat actor. Reporting describes it as a four-stage worm that uses stolen npm publish tokens to resolve the token owner via the npm API, enumerate all packages the compromised identity can publish, increment patch versions, inject malicious code, and republish trojanized releases at high speed, in some cases compromising 28 packages in under 60 seconds and in broader reporting affecting 47 to 66+ packages. The campaign weaponized legitimate publisher accounts rather than typosquatted packages and spread through npm and developer workflows at scale.
Observed behavior includes harvesting npm credentials from project .npmrc files, the user ~/.npmrc, /etc/npmrc, environment variables such as NPM_TOKEN and NPM_TOKENS, and npm configuration output. The malware has been described as dropping a Python backdoor and establishing Linux persistence through a user-level systemd service named pgmon, installed at ~/.config/systemd/user/pgmon.service and executed from a hidden directory under ~/.local/share/pgmon/. It stores retrieved payloads in /tmp/pglog and tracks execution state in /tmp/.pg_state.
For command and control, CanisterWorm has been reported to poll the Internet Computer Protocol canister endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, which returns a plain-text URL for a second-stage payload. Multiple sources describe this ICP canister usage as a dead-drop resolver or decentralized C2 mechanism.
CanisterWorm was observed as a follow-on activity after the Aqua Security Trivy compromise, with TeamPCP using stolen publish tokens from that incident to expand into the npm ecosystem. It is also linked in reporting to attacks on Kubernetes environments and to a conditional destructive capability targeting Iranian systems: earlier payloads reportedly checked for Iran timezone or Farsi language settings and, on a match, attempted to wipe Kubernetes clusters node by node or destroy the local machine if no cluster was found. Some reporting states that on devices in other regions, the malware instead installs a CanisterWorm backdoor.
High-confidence indicators and artifacts mentioned in the content include the ICP endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, persistence artifact ~/.config/systemd/user/pgmon.service, execution path under ~/.local/share/pgmon/, and temporary files /tmp/pglog and /tmp/.pg_state.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.
Aikido Security - TeamPCP deploys CanisterWorm on NPM ... CanisterWorm — Self-propagating worm using ICP Canister for C2 ... File System Indicators /tmp/pglog (CanisterWorm payload drop path) | Who is TeamPCP? ... Known TTPs ... Notable CVEs CVE-2025-29927, CVE-2025-55182 (React2Shell)
Aikido Security - TeamPCP deploys CanisterWorm on NPM ... CanisterWorm — Self-propagating worm using ICP Canister for C2 ... File System Indicators /tmp/pglog (CanisterWorm payload drop path)
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Wiz Research continues to track TeamPCP activity following the initial Trivy compromise. The threat actor has expanded operations to the npm ecosystem via a worm ("CanisterWorm") leveraging stolen publish tokens.
Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Each phase of the campaign was funded by credentials stolen in the previous one. The compromised aqua-bot token enabled injection into additional Aqua repositories. Harvested npm publish tokens fueled CanisterWorm... Stolen PyPI tokens enabled the LiteLLM compromise. Stolen Checkmarx CI credentials enabled the pivot...
TeamPCP used the residual access on March 19 to push a malicious v0.69.4 tag to the Trivy repository... The commits fetched malicious Go source files from the typosquatted C2 domain scan.aquasecurtiy[.]org and fed them into the build pipeline, turning Trivy’s own release process into a malware distribution channel.
Execution
3 techniques
Execution
The postinstall logic drops and launches a Python backdoor, then sets up persistence on Linux via a user-level systemd service named pgmon.
MITRE ATT&CK Mapping Technique ID Implementation Software Deployment Tools T1072 npm publish / PyPI upload abused as lateral movement and propagation
Once attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build that looks benign in version history but contains an extra postinstall hook. This hook runs automatically during npm install, so developers are infected simply by resolving dependencies, with no additional execution step.
Persistence
3 techniques
Persistence
Each phase of the campaign was funded by credentials stolen in the previous one. The compromised aqua-bot token enabled injection into additional Aqua repositories. Harvested npm publish tokens fueled CanisterWorm... Stolen PyPI tokens enabled the LiteLLM compromise. Stolen Checkmarx CI credentials enabled the pivot...
Privilege Escalation
3 techniques
Privilege Escalation
Each phase of the campaign was funded by credentials stolen in the previous one. The compromised aqua-bot token enabled injection into additional Aqua repositories. Harvested npm publish tokens fueled CanisterWorm... Stolen PyPI tokens enabled the LiteLLM compromise. Stolen Checkmarx CI credentials enabled the pivot...
Stealth
3 techniques
Stealth
MITRE ATT&CK Mapping Technique ID Implementation Obfuscated Files / Information T1027 AES-256-GCM encrypted payload constants; JS obfuscation; scramble()
Each phase of the campaign was funded by credentials stolen in the previous one. The compromised aqua-bot token enabled injection into additional Aqua repositories. Harvested npm publish tokens fueled CanisterWorm... Stolen PyPI tokens enabled the LiteLLM compromise. Stolen Checkmarx CI credentials enabled the pivot...
Once attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build that looks benign in version history but contains an extra postinstall hook. This hook runs automatically during npm install, so developers are infected simply by resolving dependencies, with no additional execution step.
Credential Access
4 techniques
Credential Access
In parallel, the JavaScript loader aggressively harvests npm credentials from multiple locations. It parses local .npmrc files in projects, the user’s ~/.npmrc, and /etc/npmrc for _authToken entries, and also inspects environment variables such as NPM_TOKEN and NPM_TOKENS.
...it allows them to steal API keys, cloud and database credentials, GitHub tokens, plus a ton of other secrets and sensitive information.
Discovery
1 technique
Discovery
Lateral Movement
3 techniques
Lateral Movement
MITRE ATT&CK Mapping Technique ID Implementation Software Deployment Tools T1072 npm publish / PyPI upload abused as lateral movement and propagation
Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale
Harvested npm publish tokens fueled CanisterWorm, which resolved token owner identities via the npm API, enumerated all packages the compromised identity could publish to, bumped patch version numbers, and pushed malicious updates to 28 packages in under 60 seconds.
Collection
1 technique
Collection
Command and Control
5 techniques
Command and Control
For command and control, the backdoor repeatedly polls an Internet Computer Protocol (ICP) canister endpoint, specifically tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, which acts as a dead-drop channel.
On Linux and macOS, the decoded Python script conducts credential collection ... exfiltrating results as tpcp.tar.gz via HTTP POST with the header X-Filename: tpcp.tar.gz to the same C2 IP address.
For command-and-control, TeamPCP employed Internet Computer Protocol (ICP) blockchain canisters—decentralized, immutable smart contracts hosted on the ICP network.
Exfiltration
2 techniques
Exfiltration
Impact
2 techniques
Impact
reported a probabilistic sabotage mechanism with a 1-in-6 chance of running a recursive wipe on systems matching Israeli or Iranian locales... The original TeamPCP campaign report documented a conditional wiper... attempted to destroy data, wiping Kubernetes clusters node by node, or the local machine if no cluster was found.
IOCs tracked for this family
70 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
89 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware targeting Kubernetes environments with destructive functionality, observed in activity associated with TeamPCP.
Trivy compromise-linked self-propagating malware that spread to dozens of npm packages, stole npm tokens and publisher account information, and used stolen credentials to compromise additional legitimate packages in a chained supply-chain attack.
A self-propagating worm used to spread through npm and developer workflows at scale via software dependency ecosystems.
Self-propagating malware used to spread through npm and developer workflows at scale.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.