Malicious npm packages spread self-propagating worm through stolen developer tokens

by

Security researchers have identified a new supply chain worm that spread through compromised npm packages in April 2026, using stolen developer tokens to publish poisoned updates and expand the campaign across multiple open-source packages.

KEY FACTS

  • Affected ecosystems npm packages were used to spread the malware, and the code also included PyPI propagation logic.
  • Package group Six npm packages were flagged, including pgserve, @automagik/genie and several @fairwords and @openwebconcept releases.
  • Data theft The malware targeted developer files, cloud credentials, SSH material, browser data and cryptocurrency wallet extension data.
  • Exfiltration Stolen information was sent to an HTTPS webhook and an ICP canister designed to resist takedowns.

A technical analysis by Socket and StepSecurity said the campaign, tracked as CanisterSprawl, used a postinstall hook to run automatically during package installation. The hook harvested credentials from developer environments and then used any stolen npm tokens to publish new malicious package versions with the same behavior.

The report said the malware collected .npmrc files, SSH keys, Git credentials, cloud secrets for Amazon Web Services, Google Cloud and Microsoft Azure, as well as Kubernetes, Docker, Terraform, Pulumi and Vault data. It also attempted to access browser-stored credentials and cryptocurrency wallet extensions.

Researchers said the code pushed exfiltrated data to telemetry.api-monitor[.]com and to an Internet Computer canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io. They also said the script could generate a Python .pth payload and upload malicious Python packages if the needed credentials were present.

In a separate disclosure, JFrog said several versions of the Python package xinference were compromised with a Base64-encoded payload that downloaded a second-stage collector module. The disclosure said the code opened with a comment that matched a marker seen in earlier TeamPCP-related compromises.

Other supply chain campaigns noted in the disclosure included malicious npm and PyPI packages that installed proxy and SFTP tools, an npm campaign that impersonated Asurion, and an AI-assisted GitHub Actions attack that targeted the pull_request_target workflow trigger. Wiz said that campaign had a low success rate and mostly affected small projects.

WHY IT MATTERS

The findings show how a single compromised package can be used to steal secrets and then spread further through trusted registries. They also underline the risk posed by install-time scripts and CI workflows when developer credentials are exposed.