TL;DR: CanisterWorm shows how a supply chain compromise can move from CI/CD release automation into npm package poisoning, secret theft, workstation persistence, and repeated malicious publishing through stolen publisher tokens, according to Orca Security. The campaign shows why build trust, package trust, and developer endpoint trust can collapse together faster than review cycles can respond.
NHIMG editorial — based on content published by Orca Security: CanisterWorm supply chain compromise in CI pipelines and npm
Questions worth separating out
Q: What breaks when CI/CD credentials are reused for package publishing?
A: Reusing CI/CD credentials for package publishing collapses two trust functions into one non-human identity.
Q: Why do package registry credentials create ecosystem risk?
A: Package registry credentials matter because they control what the ecosystem consumes, not just what a single team deploys.
Q: How do security teams detect malware persistence on developer systems?
A: Security teams should look for user-level services, unexpected startup entries, and payloads stored under user-controlled paths because modern malware often avoids admin privileges.
Practitioner guidance
- Separate build authority from publish authority Restrict release automation so the credentials used to build software cannot also publish packages or modify registry metadata.
- Hunt for user-level persistence on developer endpoints Look for systemd user services, unexpected Python payloads under home directories, and unusual outbound connections to raw.icp0.io domains.
- Review npm publisher tokens and package versioning rights Inventory who can publish, who can bump versions, and which tokens remain valid across maintainers, automation, and third parties.
What's in the full article
Orca Security's full research covers the operational detail this post intentionally leaves for the source:
- A step-by-step account of the release automation compromise and how it moved into package publishing rights
- Specific Linux persistence artefacts such as pgmon.service and the Python backdoor file paths
- Examples of suspicious npm publishing activity, including unexpected version bumps and package republishing
- Defender investigation guidance for CI jobs, outbound connections, and runtime secret access across build systems
👉 Read Orca Security's analysis of the CanisterWorm supply chain campaign →
CanisterWorm and npm supply chain worming: what changed here?
Explore further
Supply chain compromise is now an identity problem before it is a code problem. CanisterWorm succeeded because trusted non-human identities in CI/CD and package publishing were allowed to move code across environments without strong containment. The attack did not need to break the software model first, it only needed to inherit the trust model already attached to release automation. Practitioners should treat build-path credentials as enforcement points, not convenience tokens.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: Who is accountable when a supply chain compromise spreads through trusted credentials?
A: Accountability usually spans release engineering, platform security, and identity governance because the incident crosses multiple trust domains. The practical question is which team owns credential scope, publish rights, and offboarding for automation identities. Frameworks such as NIST CSF and NHI governance models help assign control ownership where a single compromise can affect many systems.
👉 Read our full editorial: CanisterWorm shows how CI compromise turns into package worming
Supply chain compromise is now an identity problem before it is a code problem. CanisterWorm succeeded because trusted non-human identities in CI/CD and package publishing were allowed to move code across environments without strong containment. The attack did not need to break the software model first, it only needed to inherit the trust model already attached to release automation. Practitioners should treat build-path credentials as enforcement points, not convenience tokens.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: Who is accountable when a supply chain compromise spreads through trusted credentials?
A: Accountability usually spans release engineering, platform security, and identity governance because the incident crosses multiple trust domains. The practical question is which team owns credential scope, publish rights, and offboarding for automation identities. Frameworks such as NIST CSF and NHI governance models help assign control ownership where a single compromise can affect many systems.
👉 Read our full editorial: CanisterWorm shows how CI compromise turns into package worming