How to Defend Against the CanisterWorm Trivy Supply Chain Attack

A critical supply chain attack has emerged targeting the ecosystem surrounding the popular open-source security scanner, Trivy. This incident has escalated beyond a simple compromised dependency, evolving into a self-propagating threat known as "CanisterWorm."

For defenders and security operations teams, this event highlights a dangerous evolution in supply chain malware. The attack leverages the compromise of Trivy-related infrastructure to distribute malicious npm packages. These packages utilize ICP (Internet Computer Protocol) canisters—tamperproof smart contracts—to facilitate command-and-control (C2) and self-propagation. As the worm spreads across 47 compromised npm packages, the risk extends from simple dependency confusion to active malware propagation within development and build environments.

Technical Analysis

The attack vector begins with the compromise of components related to Trivy, a widely used vulnerability scanner. Threat actors leveraged this access to propagate malicious payloads to the npm registry, affecting at least 47 distinct packages.

Key Characteristics of the Threat:

• Mechanism: The malware, dubbed CanisterWorm, abuses ICP canisters. By embedding malicious code within these smart contracts, the attackers ensure that the C2 infrastructure is resistant to takedowns, as it is decentralized and tamperproof.
• Propagation: Unlike typical supply chain attacks that rely on a developer pulling a bad version, the worm exhibits self-spreading capabilities. Once executed in a developer's environment, it can potentially spread to other connected projects or dependencies.
• Affected Systems: Organizations utilizing Node.js environments that have recently pulled dependencies or updated Trivy-related integrations are at primary risk. The malware targets build pipelines and developer workstations.
• Severity: High. The combination of trusted tooling (Trivy) and resilient C2 infrastructure (ICP canisters) makes this difficult to detect and eradicate.

Patch and Fix Status:

Maintainers of the affected npm packages are currently working on takedowns and publishing sanitized versions. Security teams must immediately revoke the compromised package versions and audit their package-lock. files. The Trivy project has released advisories urging users to verify the integrity of their binaries and plugins.

Defensive Monitoring

To detect the presence of CanisterWorm or compromise via the affected npm packages, security teams should hunt for suspicious process executions related to Node.js and unusual network connections associated with ICP canisters.

PowerShell: Detecting Known Malicious Package Hashes

This script scans a directory (e.g., a project source folder) for package-lock. files and checks against a list of known malicious package versions (Note: Replace the hash list below with specific IOCs from your threat intelligence feed as they become available).

# Define the directory to scan (e.g., your source code repository)
$TargetDirectory = "C:\Projects"

# List of known malicious package names (Example list - update with specific IOCs)
$MaliciousPackages = @("@malicious/core", "trivy-utils-ext", "canister-lib")

$FoundThreats = @()

Write-Host "Scanning $TargetDirectory for malicious dependencies..." -ForegroundColor Cyan

Get-ChildItem -Path $TargetDirectory -Recurse -Filter "package-lock." -ErrorAction SilentlyContinue | ForEach-Object {
    $lockFile = $_.FullName
    $content = Get-Content $lockFile -Raw | ConvertFrom-Json
    
    # Check dependencies
    if ($content.PSObject.Properties['dependencies']) {
        foreach ($dep in $content.dependencies.PSObject.Properties) {
            if ($MaliciousPackages -contains $dep.Name) {
                $FoundThreats += "[ALERT] Malicious package '$($dep.Name)' found in $lockFile"
            }
        }
    }
}

if ($FoundThreats.Count -gt 0) {
    Write-Host "THREAT DETECTED:" -ForegroundColor Red
    $FoundThreats | ForEach-Object { Write-Host $_ -ForegroundColor Red }
} else {
    Write-Host "No known malicious packages found in lock files." -ForegroundColor Green
}

KQL: Microsoft Sentinel / Defender for Identity

Use this query to detect potential CanisterWorm activity by looking for Node.js processes making network connections to endpoints that exhibit high-entropy domains or connections associated with ICP gateway nodes.

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "npx.cmd")
| where RemoteUrl matches regex @"\.icp0\.io$|\.internetcomputer\.org$" // Focusing on ICP related domains or known C2 patterns
| extend ParsedUrl = parse_url(RemoteUrl)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

Remediation

To protect your organization from the CanisterWorm and the associated Trivy supply chain attack, implement the following remediation steps immediately:

1. Audit and Revoke Dependencies: Immediately audit all package-lock. and yarn.lock files within your enterprise. Identify and remove any packages referenced in the security advisory related to the 47 compromised npm packages. Force a clean install using only verified versions.

2. Verify Trivy Binaries: If your organization uses Trivy, verify the checksums of all Trivy binaries and plugins. Re-install Trivy directly from the official GitHub releases or trusted container registries, ensuring you have the latest patched version.

3. Network Segmentation for Build Servers: Restrict internet access from build and CI/CD servers. Ensure that these servers can only communicate with necessary, approved package registries (e.g., internal npm proxy, specific npm registry endpoints). Block access to known ICP gateway nodes if not used for legitimate business purposes.

4. Implement Software Bill of Materials (SBOM): Generate SBOMs for your applications. Compare your current SBOMs against the list of vulnerable packages provided by the Trivy maintainers and npm security advisories to quickly identify affected applications.

5. Developer Credential Rotation: Treat the developer environment as compromised. If the worm executed, it may have exfiltrated API keys or tokens. Rotate all credentials (AWS, Azure, GitHub tokens) stored in environment variables or .npmrc files on machines that processed the malicious code.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub