Related Families: CanisterWorm
Executive Summary
The CanisterWorm campaign following the reported Trivy compromise demonstrates the emergence of self-propagating supply chain malware that exploits trust in software ecosystems rather than vulnerabilities, enabling scalable persistence and indirect exposure across developer pipelines, containerized environments, and public sector-adjacent software dependencies.
Key Takeaways
- CanisterWorm harvests npm tokens and autonomously spreads across maintainers’ packages, enabling rapid ecosystem-wide compromise.
- Internet Computer (ICP) canisters enable dynamic payload delivery and complicate disruption efforts.
- Credential-rich build systems act as propagation and access amplification points.
- Compromised packages within government and enterprise-adjacent ecosystems demonstrate downstream risk without evidence of direct targeting.
Strategic Context
US defense and public sector organizations, as well as enterprises, continue to expand reliance on containerized applications, open-source libraries, and automated DevSecOps pipelines to support modernization, scalability, and rapid deployment requirements. Platform-centric architectures and CI/CD pipelines have increased dependence on third-party software components developed outside traditional oversight mechanisms. This model introduces systemic exposure to globally distributed development ecosystems that operate on implicit trust and rapid iteration. Unlike traditional defense supply chains, open-source and container ecosystems lack standardized vetting and provenance controls.
Adversaries have demonstrated sustained interest in leveraging these ecosystems as part of broader strategic competition. In environments where civil-military integration is emphasized, private sector developers, academic institutions, and state-affiliated entities may influence software ecosystems in ways that align with national objectives. This positioning enables access without requiring immediate malicious activity.
The increasing reliance on software-defined infrastructure further amplifies this risk. Containers and orchestration platforms such as Kubernetes underpin modern applications across defense, logistics, and intelligence systems. A compromised component within this ecosystem can propagate rapidly across development and production environments. Recent supply chain incidents, culminating in the recent CanisterWorm campaign, demonstrate a transition toward automated, scalable compromise models that prioritize persistence and ecosystem-level access.
Abuse of Software Distribution Channels for Autonomous Propagation
Following the reported compromise of Trivy, the TeamPCP threat actor distributed malicious npm packages across multiple scopes, including 28 packages in the @EmilGroup scope and 16 packages in the @opengov scope. These packages retained legitimate README content and appeared as routine updates, increasing adoption likelihood. In this campaign, risk is introduced through the compromise and misuse of trusted maintainer accounts, allowing malicious updates to be distributed through legitimate software channels rather than through traditional vulnerability exploitation.
The malware employs a multi-stage execution chain:
- Node.js postinstall loader
- Python-based persistent backdoor
- Decentralized payload delivery via ICP canister
Persistence is achieved through systemd user services configured with Restart=always, enabling execution without elevated privileges and ensuring resilience across reboots. Artifacts are disguised as PostgreSQL-related processes to blend into developer environments. The malware harvests npm authentication tokens from configuration files, environment variables, and npm settings, providing direct access to software distribution channels.
Using these tokens, the malware:
- Enumerates accessible packages
- Increments version numbers to mimic legitimate updates
- Publishes malicious versions as default installations
This converts software registries into propagation infrastructure, leveraging trust relationships between maintainers and users. Command and control is implemented through Internet Computer (ICP) canisters acting as dead-drop resolvers, returning dynamically changeable payload URLs. This enables payload rotation, kill-switch functionality, and resilience against infrastructure takedown. Updated variants introduce autonomous propagation by harvesting tokens during installation and executing propagation logic without additional attacker interaction.
Who is TeamPCP?
TeamPCP is a recently identified cybercriminal threat group associated with cloud infrastructure exploitation and software supply chain compromise. The group has demonstrated a consistent focus on automation, credential harvesting, and scalable propagation across developer and cloud-native environments.
TeamPCP activity is defined by the integration of known techniques into automated attack workflows rather than the development of novel exploits. Observed operations leverage exposed credentials, misconfigured services, and trusted software distribution channels to establish access and expand reach.
The group’s campaigns indicate a focus on:
- Credential acquisition, including tokens and secrets from developer systems and CI/CD pipelines
- Automation of lateral movement, enabling rapid expansion across accounts, packages, and environments
- Abuse of trusted ecosystems, particularly software registries and development workflows
- Scalable propagation models, including self-propagating malware such as CanisterWorm
TeamPCP has been linked to multiple recent operations spanning both software supply chain and cloud infrastructure domains. These include:
- A reported supply chain compromise involving Trivy, enabling credential harvesting from CI/CD pipelines
- The CanisterWorm campaign, which propagates through npm by harvesting tokens and publishing malicious packages
- Cloud-focused activity targeting exposed services such as container platforms and orchestration environments
These campaigns demonstrate a convergence between development pipeline compromise and cloud infrastructure exploitation.
The group’s technical approach emphasizes:
- Use of legitimate credentials rather than exploitation of software vulnerabilities
- Integration of multi-stage malware capable of persistence and remote payload execution
- Deployment of decentralized or resilient infrastructure for C2
- Minimal reliance on obfuscation when trust in distribution channels reduces detection risk
Available reporting indicates that TeamPCP activity is primarily financially motivated, with operations focused on credential theft, access monetization, and opportunistic exploitation. While some activity has aligned with geopolitical contexts, there is no confirmed attribution to state sponsorship.
TeamPCP represents a shift toward operationally efficient, automation-driven threat activity that leverages trust within software and cloud ecosystems. The group’s ability to convert credential access and trusted distribution channels into self-propagating attack mechanisms highlights a broader evolution in supply chain threats, where scale and automation are prioritized over exploit development.
Cyber and Malware Implications
CI/CD Pipeline Compromise as a Force Multiplier
Continuous Integrations and Continuous Deployment (CI/CD) pipelines bridge development and production environments and frequently contain privileged credentials. Malware operating within these systems can harvest tokens, alter build artifacts, and introduce malicious components into production workflows, bypassing perimeter defenses.
Container and Kubernetes Propagation Risk
Containerized environments amplify the impact of supply chain compromise. Malicious dependencies may be embedded into container images and deployed across clusters and environments. While CanisterWorm targets npm ecosystems, the underlying model is applicable to container registries and orchestration platforms, where similar techniques could enable cluster-wide compromise and persistent access.
Persistence Without Immediate Malicious Activity
The malware separates installation, persistence, and activation, enabling delayed execution and dynamic payload retrieval. This supports long-term access and complicates detection and response timelines.
Credential-Centric Threat Model
The campaign prioritizes credential harvesting, enabling continued access, propagation, and expansion across software ecosystems. This aligns with broader trends in credential-based cyber operations.
Potential Public Sector Exposure via Software Ecosystems
The inclusion of packages within the @opengov scope introduces exposure within software ecosystems associated with public sector applications. OpenGov provides cloud-based software used by local governments, state agencies, and public sector organizations for budgeting, procurement, and operational management.
While there is no evidence of direct targeting of government systems, the presence of compromised packages within this ecosystem highlights how public sector environments may be indirectly exposed through shared dependencies, developer tooling, and third-party software integration. This reflects a broader risk model in which government systems inherit exposure from upstream software supply chains.
Detection Challenges and Indicators
Traditional security tooling focuses on vulnerabilities and known malware signatures but does not address risks introduced by trusted contributors or compromised developer accounts. The CanisterWorm campaign demonstrates that malicious updates can originate from legitimate distribution channels and mimic normal development activity.
Analyst Commentary
The CanisterWorm campaign represents a significant evolution in supply chain threats, combining credential theft, automated propagation, and decentralized control into a scalable attack model. This approach prioritizes access, persistence, and scalability over immediate disruption. By embedding capabilities within trusted software ecosystems, adversaries can achieve widespread distribution and long-term positioning without triggering traditional security mechanisms.
For US defense and public sector organizations, as well as enterprises, this creates a credible risk of indirect compromise through dependencies, development pipelines, and containerized workloads. A single compromised component can propagate across multiple environments.
Container scanning tools are not designed to detect this class of threat, as they focus on vulnerabilities and misconfigurations rather than the trustworthiness or origin of software components. Because malicious functionality is introduced through trusted dependencies and developer workflows rather than exploitable vulnerabilities, affected artifacts may pass standard scanning and compliance checks. This limits the effectiveness of vulnerability-centric security models in identifying attribution-driven supply chain risk.
Addressing this gap requires a broader security model that extends beyond artifact inspection to include:
- Developer and contributor attribution analysis, including identity, reputation, and affiliation context
- Behavioral monitoring of software ecosystems, such as anomalous publishing activity, maintainer changes, and dependency modification patterns
- Credential exposure detection within development and CI/CD environments, particularly for tokens and secrets accessible during build processes
- Supply chain integrity validation, including verification of package provenance, build processes, and dependency trust relationships
- Continuous monitoring across the software lifecycle, from development through deployment, rather than point-in-time scanning
The absence of attribution-aware controls further exacerbates this risk. Without visibility into the origin and affiliation of software contributors, organizations are limited in their ability to identify early-stage adversary positioning. Mitigating this threat requires integration of attribution analysis, behavioral monitoring, and intelligence-driven security practices into DevSecOps and supply chain security frameworks.
As demonstrated by CanisterWorm and prior incidents, adversaries are increasingly leveraging trust within software ecosystems as an attack surface. This model is scalable, resilient, and aligned with long-term strategic objectives, including persistent access within critical infrastructure and defense environments.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
