Key Findings

• Self-propagating worm dubbed CanisterSprawl detected in six npm packages, spreading via stolen developer credentials

• Malware executes during package installation to harvest npm tokens, SSH keys, cloud credentials, and browser data

• Stolen tokens enable attackers to push poisoned package versions, creating a self-replicating supply chain attack

• Exfiltration occurs through HTTPS webhook and ICP canister infrastructure designed to resist takedowns

• Campaign includes cross-platform propagation logic targeting both npm and PyPI ecosystems

Background

CanisterSprawl represents a significant escalation in supply chain attacks targeting the open-source development ecosystem. Security researchers at Socket and StepSecurity identified the campaign, which borrows infrastructure tactics from previous TeamPCP operations. The worm's multi-stage approach transforms compromised developer machines into attack vectors that automatically propagate malicious code throughout npm and Python package repositories.

Affected Packages and Attack Mechanism

The following npm packages contained malicious versions:

• @automagik/genie (versions 4.260421.33 - 4.260421.40)

• @fairwords/loopback-connector-es (1.4.3 - 1.4.4)

• @fairwords/websocket (1.0.38 - 1.0.39)

• @openwebconcept/design-tokens (1.0.1 - 1.0.3)

• @openwebconcept/theme-owc (1.0.1 - 1.0.3)

• pgserve (1.1.11 - 1.1.14)

The malware triggers during the postinstall hook phase, a critical window when package installation scripts execute with developer privileges. This timing allows attackers to access sensitive credentials before developers can intervene.

Credential Harvesting Scope

CanisterSprawl casts an exceptionally wide net for sensitive data. It targets standard configuration files including .npmrc for npm authentication and .git-credentials for repository access. The worm also pursues cloud provider credentials across AWS, Google Cloud, and Microsoft Azure platforms, along with Kubernetes and Docker configurations that could grant container infrastructure access.

Beyond traditional development credentials, the malware extracts Terraform, Pulumi, and Vault material to compromise infrastructure-as-code deployments. It harvests database passwords, local environment files, and shell history that might contain sensitive commands. The campaign extends to browser-based credentials from Chromium variants and cryptocurrency wallet extensions, indicating attackers seek maximum financial gain from compromised machines.

Multi-Stage Data Exfiltration

Captured credentials travel through two separate channels. An HTTPS webhook at telemetry.api-monitor[.]com provides direct exfiltration, while an Internet Computer Protocol canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io offers distributed infrastructure resistant to traditional takedown attempts. This dual-channel approach mirrors TeamPCP's CanisterWorm strategy, suggesting either copycat tactics or continued operations by the same actors.

Cross-Ecosystem Propagation

The worm contains sophisticated logic to extend attacks beyond npm into the Python ecosystem. It generates Python .pth files designed to execute automatically when Python starts, then uses Twine credentials to upload malicious packages to PyPI. This capability transforms CanisterSprawl from a simple credential stealer into a self-perpetuating compromising mechanism that uses one infected developer to compromise additional package ecosystems.

Related Supply Chain Threats

The npm and PyPI ecosystems face sustained pressure from multiple threat actors. Legitimate Python package xinference recently became compromised, with versions 2.6.0, 2.6.1, and 2.6.2 containing Base64-encoded payloads. While attackers marked the compromise with "hacked by teampcp," the group disputed involvement and claimed copycat activity.

Separate campaigns have deployed Kubernetes-themed packages on both registries to establish SOCKS5 proxies and LLM gateways on victim machines. These LLM proxies function as OpenAI-compatible API endpoints that route requests through Chinese LLM services while sitting on trust boundaries vulnerable to injection attacks. An attacker controlling such infrastructure could manipulate responses from coding agents to inject malicious installation commands mid-flight.

An extended Asurion impersonation campaign published credential harvesters across four malicious packages from April 1-8, exfiltrating stolen data through Slack webhooks and obfuscated AWS API endpoints. Additionally, Google-owned Wiz documented an AI-powered campaign exploiting GitHub Actions pull_request_target triggers to systematically harvest developer secrets since March 2026.

Sources

• https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

• https://www.socdefenders.ai/item/21cb4b40-82d7-4fc0-b004-74bc11ca39f7

• https://x.com/TheCyberSecHub/status/2047008329906671866

• https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-self-spreads-to-steal-auth-tokens/

• https://www.reddit.com/r/pwnhub/comments/1ssz2tq/selfpropagating_supply_chain_worm_hijacks_npm/