CanisterWorm - New Malware Steals npm Tokens and Spreads
Basically, CanisterWorm is a virus that steals passwords from developers and spreads through their software.
A new malware called CanisterWorm is targeting the npm ecosystem. It steals tokens and spreads through compromised publisher accounts, risking many projects. Immediate action is needed to protect affected developers.
What Happened
A new malware campaign named CanisterWorm is wreaking havoc in the npm ecosystem. This self-propagating malware is linked to a group known as TeamPCP. It compromises legitimate publisher namespaces, pushing malicious package versions that steal credentials. This threat was first identified by security researchers from Socket and Endor Labs, who noticed a pattern of malicious updates across multiple npm accounts.
CanisterWorm cleverly disguises itself within routine updates, making it easy for developers to install without suspicion. Recent findings by JFrog researchers have expanded the known scope of this attack, revealing additional compromised packages that had previously gone unnoticed. The malware's infection process begins when a developer runs npm install on a tainted package, triggering a silent installation of a Python backdoor.
Who's Being Targeted
The impact of CanisterWorm extends far beyond individual developers. Once installed, it harvests npm authentication tokens and uses these credentials to spread itself to every package the developer maintains. This chain reaction means that one compromised account can poison multiple downstream packages, affecting numerous projects and their users.
Developers who have installed any of the infected packages are at immediate risk. The malware not only compromises their systems but also endangers the integrity of the entire npm ecosystem. With the ability to autonomously publish tainted updates, CanisterWorm poses a significant threat to software supply chains.
Signs of Infection
Detecting CanisterWorm can be challenging due to its stealthy nature. The malware embeds itself in what appear to be normal SDK version bumps, making it blend seamlessly into standard development workflows. Once a developer installs a compromised package, a malicious postinstall hook executes, dropping a backdoor onto the system without any visible warnings.
On Linux systems, the worm registers a persistent service that ensures it remains active even after reboots. It continuously polls a decentralized command-and-control server, disguising its malicious traffic as regular web requests. This makes it difficult for traditional security tools to detect the infection until significant damage is done.
How to Protect Yourself
Developers who suspect they have been affected must act quickly. Immediate actions include rotating all npm publishing tokens stored in .npmrc files and environment variables. On Linux systems, it's crucial to stop and disable the pgmon service, and delete any temporary files created by the malware.
Furthermore, affected developers should unpublish any compromised package versions from the npm registry. Simply publishing a newer version does not mitigate the risk for downstream users who may still install the infected release. To prevent future infections, running npm config set ignore-scripts true globally can disable postinstall hooks, adding an extra layer of defense against such supply chain attacks.
Cyber Security News