CanisterWorm
CanisterWorm is a self-propagating malware worm associated with the TeamPCP supply-chain campaign. It was observed in March 2026 as part of follow-on activity after the compromise of Aqua Security’s Trivy ecosystem, where stolen npm publishing tokens were used to automate malicious republishing across legitimate npm packages. Reporting describes it as a four-stage worm that, given a single stolen npm token, enumerates all packages within that token’s publishing scope, increments version numbers, injects malicious code, and republishes compromised releases in under 60 seconds per token. Researchers reported propagation across at least 47 npm packages, with some reporting citing 66+ affected packages and 141 malicious artifacts.
Its propagation technique is registry-agnostic in principle, but observed activity centered on npm and developer workflows. The malware steals npm credentials from project .npmrc files, the user’s ~/.npmrc, /etc/npmrc, environment variables such as NPM_TOKEN and NPM_TOKENS, and npm configuration output. It then queries npm registry APIs to identify packages the compromised account can publish and republishes trojanized versions using legitimate publisher access. Malicious package variants included postinstall hooks that dropped and launched a Python backdoor and established Linux persistence via a user-level systemd service named pgmon, installed at ~/.config/systemd/user/pgmon.service and executed from ~/.local/share/pgmon/. Retrieved payloads were stored in /tmp/pglog, with execution state tracked in /tmp/.pg_state.
CanisterWorm used an Internet Computer Protocol canister as decentralized command-and-control or dead-drop infrastructure. Reported endpoints include tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io and the canister identifier tdtqy-oyaaa-aaaae-af2dq-cai. The ICP canister returned a plain-text URL for second-stage payload retrieval rather than directly serving malware. Some reporting also characterizes CanisterWorm as deploying a persistent backdoor on non-targeted systems.
The malware also included destructive functionality targeting Iranian systems. Multiple reports state that it checked timezone and/or locale indicators, including Iran timezone or Farsi language settings, and on a match attempted to wipe data. In Kubernetes environments, it reportedly wiped clusters node by node, including use of a privileged container or DaemonSet named kamikaze; on non-Kubernetes hosts it attempted destructive deletion such as rm -rf / --no-preserve-root. Researchers specifically described CanisterWorm as targeting Kubernetes environments and deploying destructive functionality against selected Iranian targets, while installing a backdoor on devices in other regions.
CanisterWorm is consistently linked in the provided reporting to TeamPCP, also tracked in broader campaign reporting as UNC6780 and associated aliases including DeadCatx3, PCPcat, and ShellForce. It was used in software supply-chain attacks affecting developer ecosystems, CI/CD environments, npm publishers, and Kubernetes-connected infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.
Aikido Security - TeamPCP deploys CanisterWorm on NPM ... CanisterWorm — Self-propagating worm using ICP Canister for C2 ... File System Indicators /tmp/pglog (CanisterWorm payload drop path) | Who is TeamPCP? ... Known TTPs ... Notable CVEs CVE-2025-29927, CVE-2025-55182 (React2Shell)
Aikido Security - TeamPCP deploys CanisterWorm on NPM ... CanisterWorm — Self-propagating worm using ICP Canister for C2 ... File System Indicators /tmp/pglog (CanisterWorm payload drop path)
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesOnce attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build... For each package, it automatically bumps the patch version, injects the malicious postinstall payload, and repushes to npm with npm publish --access public --tag latest.
A highly automated npm supply chain campaign, dubbed “CanisterWorm,” in which threat actors steal npm access tokens and weaponize legitimate publisher accounts at scale.
Researchers also found TeamPCP expand its operations to infect the npm ecosystem via a never-before-seen worm, called CanisterWorm, leveraging stolen publish tokens from the initial Trivy compromise.
Execution
4 techniquesThe postinstall logic drops and launches a Python backdoor, then sets up persistence on Linux via a user-level systemd service named pgmon.
MITRE ATT&CK Mapping Technique ID Implementation Software Deployment Tools T1072 npm publish / PyPI upload abused as lateral movement and propagation
Once attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build that looks benign in version history but contains an extra postinstall hook. This hook runs automatically during npm install, so developers are infected simply by resolving dependencies, with no additional execution step.
In Kubernetes environments, it checked for mounted service account tokens to deploy privileged DaemonSets (node-setup-*, host-provisioner-iran).
Persistence
3 techniquesOnce attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build... For each package, it automatically bumps the patch version, injects the malicious postinstall payload, and repushes to npm with npm publish --access public --tag latest.
The postinstall logic drops and launches a Python backdoor, then sets up persistence on Linux via a user-level systemd service named pgmon, installed under ~/.config/systemd/user/pgmon.service.
Privilege Escalation
3 techniquesOnce attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build... For each package, it automatically bumps the patch version, injects the malicious postinstall payload, and repushes to npm with npm publish --access public --tag latest.
The postinstall logic drops and launches a Python backdoor, then sets up persistence on Linux via a user-level systemd service named pgmon, installed under ~/.config/systemd/user/pgmon.service.
Stealth
3 techniquesMITRE ATT&CK Mapping Technique ID Implementation Obfuscated Files / Information T1027 AES-256-GCM encrypted payload constants; JS obfuscation; scramble()
Once attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build... For each package, it automatically bumps the patch version, injects the malicious postinstall payload, and repushes to npm with npm publish --access public --tag latest.
Once attackers obtain a valid npm publishing token or equivalent CI/CD access, they replace legitimate package contents with a malicious build that looks benign in version history but contains an extra postinstall hook. This hook runs automatically during npm install, so developers are infected simply by resolving dependencies, with no additional execution step.
Credential Access
4 techniquesIn parallel, the JavaScript loader aggressively harvests npm credentials from multiple locations. It parses local .npmrc files in projects, the user’s ~/.npmrc, and /etc/npmrc for _authToken entries, and also inspects environment variables such as NPM_TOKEN and NPM_TOKENS.
...it allows them to steal API keys, cloud and database credentials, GitHub tokens, plus a ton of other secrets and sensitive information.
MITRE ATT&CK Mapping Technique ID Implementation Credentials from Files T1552.001 100+ filesystem hotspots across Linux/macOS/Windows
The Trivy payload’s primary objective was credential harvesting ... swept 50+ hardcoded filesystem paths for credentials: AWS configuration files, Docker Hub authentication tokens, PyPI publishing tokens, SSH keys ...
Discovery
2 techniquesA deploy.js script uses the stolen credentials to query the npm registry search API (/-/v1/search) and enumerate all packages that the compromised user can publish.
In Kubernetes environments, it checked for mounted service account tokens to deploy privileged DaemonSets (node-setup-*, host-provisioner-iran).
Lateral Movement
2 techniquesMITRE ATT&CK Mapping Technique ID Implementation Software Deployment Tools T1072 npm publish / PyPI upload abused as lateral movement and propagation
Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale
Collection
1 techniqueGiven a single stolen npm publishing token, CanisterWorm enumerated every package within that token’s publishing scope, incremented version numbers, and inserted malicious code into new releases—completing this cycle in under 60 seconds per token.
Command and Control
5 techniquesFor command and control, the backdoor repeatedly polls an Internet Computer Protocol (ICP) canister endpoint, specifically tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, which acts as a dead-drop channel.
On Linux and macOS, the decoded Python script conducts credential collection ... exfiltrating results as tpcp.tar.gz via HTTP POST with the header X-Filename: tpcp.tar.gz to the same C2 IP address.
For command-and-control, TeamPCP employed Internet Computer Protocol (ICP) blockchain canisters—decentralized, immutable smart contracts hosted on the ICP network.
This malware uniquely leverages an ICP canister, a tamperproof smart contract on the Internet Computer blockchain, as a dead drop resolver for its command-and-control (C2) server.
Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale
Exfiltration
2 techniquesThe HTTP exfiltration channel used the identifying header X-Filename: tpcp.tar.gz , which provides a reliable network detection signature for retrospective traffic analysis.
MITRE ATT&CK Mapping Technique ID Implementation Exfiltration Over Web Service T1567.002 GitHub repo commits; GitHub Actions artifacts; P2P Session network
Impact
2 techniquesreported a probabilistic sabotage mechanism with a 1-in-6 chance of running a recursive wipe on systems matching Israeli or Iranian locales... The original TeamPCP campaign report documented a conditional wiper... attempted to destroy data, wiping Kubernetes clusters node by node, or the local machine if no cluster was found.
Researchers have additionally observed activity involving CanisterWorm, malware that targeted Kubernetes environments and reportedly deployed destructive functionality against selected Iranian targets.
IOCs tracked for this family
70 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
90 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware targeting Kubernetes environments with destructive functionality, observed in activity associated with TeamPCP.
Trivy compromise-linked self-propagating malware that spread to dozens of npm packages, stole npm tokens and publisher account information, and used stolen credentials to compromise additional legitimate packages in a chained supply-chain attack.
A self-propagating worm used to spread through npm and developer workflows at scale via software dependency ecosystems.
Self-propagating malware used to spread through npm and developer workflows at scale.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.