@@ -144,6 +144,87 @@ This vulnerability allows arbitrary file writes via path traversal in rollup's b
144144
145145---
146146
147- ** Last updated: ** 2026-03-05
147+ ## TeamPCP / CanisterWorm supply chain attack (Trivy compromise)
148148
149- ** Next review:** 2026-04-05
149+ As of 2026-03-24, we evaluated the TeamPCP campaign that compromised
150+ Aqua Security's GitHub and Docker Hub accounts, injecting malware
151+ into the Trivy vulnerability scanner and propagating a
152+ self-replicating worm ("CanisterWorm") through npm packages.
153+
154+ ### Exposure assessment
155+
156+ This repository uses ` aquasecurity/trivy-action ` in CI (` ci.yml ` ):
157+
158+ | Aspect | Status |
159+ | --- | --- |
160+ | Trivy action pinning | Pinned to commit SHA ` 76071ef0... ` (v0.31.0) |
161+ | Compromised packages in deps | ** None found** |
162+ | Filesystem IOCs | ** None found** |
163+ | npm publishing | ** Not applicable** — webssh2 is not published to npm |
164+ | Status | ** Not compromised** |
165+
166+ ### Why we are not affected
167+
168+ - GitHub Actions are ** pinned to commit SHAs** , not mutable tags,
169+ preventing silent tag-based substitution
170+ - The pinned SHA ` 76071ef0d7ec797419534a183b498b4d6366cf37 ` predates
171+ the compromise and was verified against the pre-incident
172+ repository state
173+ - This repository does not publish to npm, so there are no npm
174+ tokens for the worm to exfiltrate or abuse
175+ - No known compromised dependencies were found in
176+ ` package-lock.json `
177+
178+ ### Remediation actions taken
179+
180+ 1 . ** NPM token rotation** : All npm tokens with CI access were
181+ rotated as a precaution (2026-03-24)
182+ 2 . ** Trivy action review** : Confirmed pinned SHAs correspond to
183+ legitimate pre-compromise commits
184+ 3 . ** IOC scan** : Checked build systems for CanisterWorm filesystem
185+ artifacts — none found
186+ 4 . ** Dependency audit** : Scanned all ` package-lock.json ` files
187+ against known compromised package list — clean
188+
189+ ### CanisterWorm indicators of compromise (IOCs)
190+
191+ For reference, the following IOCs were published by Aikido and
192+ Socket:
193+
194+ ** C2 infrastructure:**
195+
196+ - ICP canister: ` tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io `
197+ - Cloudflare tunnels:
198+ ` souls-entire-defined-routes.trycloudflare.com ` ,
199+ ` investigation-launches-hearings-copying.trycloudflare.com ` ,
200+ ` championships-peoples-point-cassette.trycloudflare.com `
201+
202+ ** Filesystem artifacts:**
203+
204+ - ` ~/.local/share/pgmon/service.py ` ,
205+ ` ~/.config/systemd/user/pgmon.service `
206+ - ` /var/lib/svc_internal/runner.py ` , ` /var/lib/pgmon/pgmon.py `
207+ - ` /tmp/pglog ` , ` /tmp/.pg_state `
208+
209+ ** Kubernetes artifacts (kube-system namespace):**
210+
211+ - DaemonSets: ` host-provisioner-iran ` , ` host-provisioner-std `
212+ - Container names: ` kamikaze ` (wiper), ` provisioner ` (backdoor)
213+
214+ ** Compromised npm packages (partial list):**
215+
216+ - 28 packages in ` @EmilGroup ` scope, 16 in ` @opengov ` scope
217+ - ` @teale.io/eslint-config ` (v1.8.11, v1.8.12),
218+ ` @airtm/uuid-base32 ` , ` @pypestream/floating-ui-dom `
219+
220+ ### References
221+
222+ - [ Ars Technica — Self-propagating malware poisons open source software] ( https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/ )
223+ - [ Aikido — TeamPCP Deploys CanisterWorm on NPM Following Trivy Compromise] ( https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise )
224+ - [ Aikido — CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran] ( https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran )
225+
226+ ---
227+
228+ ** Last updated:** 2026-03-24
229+
230+ ** Next review:** 2026-04-24
0 commit comments