Emerging ThreatsMalware & Ransomware

Malware Worm Exploits npm Packages to Hijack Developer Tokens

Analyst 207||Source: TheHackerNews
Security analysts respond to a cyber threat in a brightly-lit operations center with laptops and screens displaying code…

"In other words, this is not just a credential stealer. It is designed to turn one compromised developer environment into additional package compromises," Socket said.

CanisterSprawl: a self‑propagating npm worm

Cybersecurity firms Socket and StepSecurity have identified a campaign they call CanisterSprawl: a supply‑chain worm that compromises npm packages and uses stolen developer npm tokens to publish poisoned versions of those same packages. The name reflects the operators' use of an ICP canister to exfiltrate data, a tactic described as reminiscent of TeamPCP's CanisterWorm.

The firms list six affected packages and specific version ranges:

  • @automagik/genie (4.260421.33 - 4.260421.40)
  • @fairwords/loopback-connector-es (1.4.3 - 1.4.4)
  • @fairwords/websocket (1.0.38 - 1.0.39)
  • @openwebconcept/design-tokens (1.0.1 - 1.0.3)
  • @openwebconcept/theme-owc (1.0.1 - 1.0.3)
  • pgserve (1.1.11 - 1.1.14)

Installation hooks, stolen artifacts, and exfiltration channels

The malicious code is triggered at install time through a postinstall hook that harvests a broad set of developer credentials and secrets, then attempts to use any recovered npm tokens to push further poisoned package releases with a new postinstall hook. Captured items include configuration and credential files such as .npmrc, SSH keys and configurations, .git-credentials, .netrc, cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure, Kubernetes and Docker configurations, Terraform, Pulumi, and Vault material, database password files, local .env* files, and shell history files.

In addition to filesystem and configuration artifacts, the malware attempts to access credentials from Chromium‑based web browsers and data associated with cryptocurrency wallet extension apps. Socket and StepSecurity say the information is exfiltrated to an HTTPS webhook at telemetry.api-monitor[.]com and to an ICP canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io.

PyPI propagation and the xinference compromise

Socket reports the worm contains PyPI propagation logic: a generated Python .pth‑based payload designed to execute when Python starts, followed by preparation and upload of malicious Python packages via Twine if credentials are present. "The script generates a Python .pth-based payload designed to execute when Python starts, then prepares and uploads malicious Python packages with Twine if the required credentials are present," Socket said.

Separately, JFrog disclosed that multiple versions of the legitimate Python package xinference (2.6.0, 2.6.1, and 2.6.2) were compromised to include a Base64‑encoded payload that fetches a second‑stage collector module responsible for harvesting credentials and secrets. JFrog noted that "the decoded payload opens with the comment '# hacked by teampcp,' the same actor marker seen in recent TeamPCP compromises." TeamPCP, in a post shared on X, disputed they were behind the compromise and claimed it was the work of a copycat.

Other recent supply‑chain and repository attacks: kube‑node‑health, Asurion impersonation, and prt‑scan

The CanisterSprawl activity joins a series of other attacks targeting open‑source ecosystems. Two malicious packages—kube‑health‑tools on npm and kube‑node‑health on PyPI—masqueraded as Kubernetes utilities but installed a Go‑based binary that established a SOCKS5 proxy, a reverse proxy, an SFTP server, and a large language model (LLM) proxy on victim machines. The LLM proxy accepted OpenAI‑compatible API requests and routed them to upstream APIs including Chinese LLM routers such as shubiaobiao.

Aikido Security researcher Ilyas Makari warned of the risk from such routers: "Because every request passes through the router in plaintext, a malicious operator can [...] inject malicious tool calls into responses of coding agents before they reach the client, introducing malicious pip install or curl | bash payloads mid-flight." Makari also noted the router can be used to exfiltrate secrets from request and response bodies, including API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts.

Panther documented a sustained npm campaign impersonating phone insurer Asurion and subsidiaries (packages sbxapps, asurion-hub-web, soluto-home-web, and asurion-core) between April 1 and April 8, 2026. That campaign delivered a multi‑stage credential harvester that initially exfiltrated to a Slack webhook and later to an AWS API Gateway endpoint at pbyi76s0e9.execute-api.us-east-1.amazonaws[.]com; by April 7 the AWS exfiltration URL was obfuscated using XOR encoding.

Google‑owned Wiz described an AI‑powered campaign dubbed prt‑scan that has exploited the GitHub Actions pull_request_target trigger since March 11, 2026. Wiz says the attacker used several GitHub accounts to fork repositories, create branches with names like prt-scan-{{12-hex-chars}}, inject payloads into files executed during CI, open pull requests, and then harvest developer secrets and publish malicious package versions if npm tokens were available. "Across over 450 analyzed exploit attempts, we have observed a <10% success rate," Wiz researchers said, adding that most successful attacks targeted small hobbyist projects and exposed only ephemeral GitHub credentials for the workflow. They noted that contributor approval requirements and modern CI/CD security practices limited impact on high‑profile repositories.

What this means for technologists, open‑source maintainers, and enterprises

  • Technologists and security teams: Monitor for unusual postinstall activity and outbound connections to telemetry.api-monitor[.]com and the ICP canister cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io; watch for .pth‑based Python payloads and unauthorized npm publishes using recovered tokens.
  • Open‑source maintainers: Be aware that npm tokens recovered from developer environments can be used to push poisoned releases; the incidents around xinference and CanisterSprawl show attacks can cross ecosystems and reuse actor markers like "# hacked by teampcp."
  • Enterprises and procurement leaders: Recent campaigns highlight attacks that substitute or augment expected package behavior (proxies, LLM routers, credential harvesters), and that exfiltration can be routed via cloud APIs and obfuscated endpoints such as AWS API Gateway URLs.

The record assembled by Socket, StepSecurity, JFrog, Panther and Wiz paints a picture of increasingly automated, cross‑ecosystem supply‑chain abuse: malware that turns a single compromised developer workstation into a distribution node, mechanisms that persist via Python .pth hooks and npm postinstall scripts, and exfiltration channels that include both conventional HTTPS webhooks and decentralized ICP canisters. Attribution remains contested—the teampcp marker appears in at least one payload while TeamPCP denies responsibility—leaving defenders to wrestle with attack mechanics and mitigation even as the actors dispute credit.

Source: https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

Emerging ThreatsSupply ChainNpm MalwareMalware WormCredential StealerCanistersprawlPackage CompromiseToken Hijacking
Related Intelligence

Continue Reading

Fake pre-order website on a computer screen in a dimly lit room with cityscape view.

Scammers Exploit GTA 6 Hype with Fake Pre-Order Sites

Don't fall for fake GTA 6 pre-order sites promising early access - any unofficial offer is likely a scam, and Rockstar Games will only announce legitimate pre-orders through official channels. Scammers are using professional-looking sites to trick victims into paying hundreds of dollars in cryptocurrency for a fake VIP experience.

Analyst 207
People work in a modern lab with a futuristic robotic arm in the foreground.

Agentic AI Reshapes Offensive Operations

Meet the "script kiddie as a service" era, where AI has erased the old skill barrier, allowing attackers with just intent and access to capable tools to launch sophisticated, autonomous attacks. Agentic AI has made it possible for previously unskilled actors to plan and execute campaigns without needing to pull the trigger themselves.

Analyst 207
Software development workstation with laptop, coding tools, and notes in a brightly-lit neutral environment.

Malicious npm Packages Deliver Windows RAT via PostCSS Tooling

Beware of malicious npm packages masquerading as popular tools like PostCSS - researchers have uncovered three fake packages that have racked up over 1,000 downloads and deliver a sneaky Windows remote access trojan. These lookalike packages, published just over a month ago, have been cleverly designed to fly under the radar.

Analyst 207
Two handcuffed teenagers sit somberly in a courtroom with a judge's bench and law enforcement officer in the background.

Scattered Spider Teens Plead Guilty to TfL Cyberattack

Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded guilty to infiltrating Transport for London's systems, causing a £29m hit and disrupting public services in a stark reminder that cybercrime has very real-world consequences. The breach, which occurred in late August 2024, highlights the significant impact of cyberattacks on everyday life.

Analyst 207