Supply‑Chain Worm Spreads via npm Packages to Harvest Developer Tokens

Key Takeaways

• A newly discovered supply‑chain worm, dubbed CanisterSprawl, steals npm tokens during postinstall and uses them to push poisoned package versions, creating a self‑propagating chain.
• The malware harvests a broad set of developer secrets—including .npmrc, SSH keys, cloud credentials, container/Kubernetes configs, Terraform/Vault material, browser data, and cryptocurrency wallet files.
• Exfiltration occurs via an HTTPS webhook (telemetry.api-monitor[.]com) and an Internet Computer Protocol (ICP) canister (cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.].io), mirroring the earlier TeamPCP CanisterWorm tactic.
• Beyond npm, the worm contains PyPI propagation logic that drops a malicious .pth file to execute on Python start and upload poisoned packages with Twine when credentials are present.
• The campaign is linked to the threat actor TeamPCP, although they deny involvement, suggesting a possible copycat.
• Similar attacks have surface‑levelled malicious Kubernetes utility packages on npm and PyPI that install a Go‑based binary exposing SOCKS5, SFTP, reverse proxy, and an OpenAI‑compatible LLM router for credential theft and AI abuse.
• A separate campaign impersonated the insurance provider Asurion, publishing malicious npm packages that harvested credentials via a Slack webhook then an AWS API Gateway endpoint (later XOR‑obfuscated).
• Google‑owned Wiz revealed an AI‑driven prt‑scan operation that abuses the GitHub Actions pull_request_target workflow to fork repositories, inject malicious CI steps, and steal developer secrets, achieving a <10% success rate mainly against small hobbyist projects.
• Defenses must focus on securing developer environments (token hygiene, least‑privilege scopes), enforcing strict CI/CD approvals, monitoring for anomalous postinstall scripts, and using supply‑chain integrity tools (e.g., Socket, StepSecurity) to detect compromised packages early.

Overview of the CanisterSprawl Threat
Cybersecurity researchers from Socket and StepSecurity have identified a fresh wave of compromised open‑source packages that deliver a self‑propagating worm named CanisterSprawl. The worm leverages stolen npm authentication tokens to publish poisoned versions of the affected packages, thereby expanding its reach automatically. The activity is tracked under the CanisterSprawl label because the malware exfiltrates harvested data to an Internet Computer Protocol (ICP) canister, a technique reminiscent of the earlier TeamPCP CanisterWorm that aimed to make the infrastructure resistant to takedowns.

Malware Delivery Mechanics
The malicious payload is triggered at install time via a postinstall hook embedded in the compromised packages. When a developer runs npm install, the hook executes, harvesting credentials and secrets from the local development environment. It then uses any discovered npm tokens to push new, malicious versions of the same package to the registry, each containing a fresh postinstall hook. This cycle creates a worm‑like propagation mechanism that can quickly infect downstream consumers who unknowingly install the tainted versions.

Scope of Credential Harvesting
CanisterSprawl targets a wide array of sensitive data typically found in developer workstations. Captured information includes:

• .npmrc files (npm registry credentials)
• SSH keys and SSH configuration files
• .git-credentials and .netrc files
• Cloud provider credentials for Amazon Web Services, Google Cloud, and Microsoft Azure
• Kubernetes and Docker configuration files
• Infrastructure‑as‑Code material from Terraform, Pulumi, and HashiCorp Vault
• Database password files
• Local environment files matching .env* patterns
• Shell history files (e.g., .bash_history, .zsh_history)
  In addition, the malware attempts to read data from Chromium‑based browsers and cryptocurrency wallet extensions, seeking private keys, seed phrases, and stored session tokens.

Exfiltration Channels
Stolen data is sent to two distinct endpoints. First, an HTTPS webhook at telemetry.api-monitor[.]com receives the harvested secrets via a standard POST request. Second, the malware uploads the same payload to an ICP canister located at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io. The use of an ICP canister provides redundancy and resilience against takedown attempts, mirroring the Tactics, Techniques, and Procedures (TTPs) observed in the TeamPCP CanisterWorm campaigns.

Propagation to PyPI
Beyond npm, the worm contains embedded logic for the Python Package Index (PyPI). When the infected environment possesses suitable Python packaging credentials (e.g., PyPI API keys), the script generates a .pth file that executes upon Python interpreter start. This file prepares and uploads malicious Python packages using Twine, thereby extending the supply‑chain compromise to the Python ecosystem. As Socket noted, this transforms the worm from a mere credential stealer into a mechanism that turns one compromised developer environment into a vector for further package poisoning.

Attribution to TeamPCP
The malware’s code contains the comment # hacked by teampcp, a signature previously linked to the threat actor known as TeamPCP. Socket’s analysis ties CanisterSprawl to this group, noting similarities in infrastructure (ICP canister use) and exfiltration tactics. However, in a subsequent post on X (formerly Twitter), TeamPCP denied responsibility, claiming the activity is the work of a copycat actor leveraging their known TTPs. Whether genuine or a false flag, the overlap underscores the difficulty of attributing supply‑chain attacks in the open‑source realm.

Related Supply‑Chain Attacks: Fake Kubernetes Utilities
The CanisterSprawl disclosure arrives alongside other malicious packages masquerading as Kubernetes tooling. On npm, the package kube-health-tools and on PyPI, kube-node-health present themselves as utilities for cluster health monitoring. In reality, they install a Go‑based binary that opens a SOCKS5 proxy, a reverse proxy, an SFTP server, and an OpenAI‑compatible LLM proxy on the victim’s machine. The LLM proxy forwards requests to upstream APIs—including Chinese LLM routers such as shubiaobiao—effectively turning the compromised host into a conduit for AI‑powered abuse. Because every request passes through the router in plaintext, a malicious operator can inject harmful tool calls (e.g., pip install or curl | bash) into responses from coding agents before they reach the client, enabling mid‑flight payload delivery. Alternatively, the router can be used to exfiltrate secrets from request and response bodies, capturing API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts.

LLM Proxy Risks and AI Abuse
The presence of an LLM proxy in these attacks highlights a growing trend: adversaries repurposing large language model infrastructure to facilitate credential theft and automated exploit delivery. By positioning themselves as a trusted gateway to AI services, attackers can manipulate the outputs of code‑completion tools, automated testing frameworks, or DevOps chatbots. This capability not only leaks secrets but also enables the automatic generation of malicious code suggestions that developers might inadvertently accept, further amplifying the supply‑chain risk.

Asurion‑Impersonation Campaign
A separate, sustained npm supply‑chain operation documented by Panther impersonated the insurance provider Asurion and its subsidiaries. Between April 1 and April 8 2026, the attackers published malicious versions of packages such as sbxapps, asurion-hub-web, soluto-home-web, and asurion-core. These packages contained a multi‑stage credential harvester that first exfiltrated data to a Slack webhook and later to an AWS API Gateway endpoint (pbyi76s0e9.execute-api.us-east-1.amazonaws[.]com). By April 7, the AWS endpoint was obfuscated using XOR encoding to evade simple detection. The campaign illustrates how threat actors leverage trusted brand names to lower the perceived risk of installing seemingly legitimate packages.

Wiz’s prt‑scan GitHub Actions Abuse
Google‑owned cloud security firm Wiz detailed an AI‑powered campaign dubbed prt‑scan that has been active since March 11 2026. The threat actor, operating under a series of disposable GitHub accounts (testedbefore, beforetested‑boop, 420tb, 69tf420, elzotebo, ezmtebo), scans for repositories that enable the pull_request_target workflow trigger. Upon finding a target, the attacker forks the repo, creates a branch named prt-scan-{12‑hex‑chars}, injects a malicious payload into a file executed during CI, opens a pull request, and waits for the workflow to run. If npm tokens are discovered in the CI environment, the attacker publishes a poisoned package version. Across more than 450 observed exploit attempts, the success rate was under 10%, with successful hits primarily affecting small hobbyist projects and exposing only ephemeral GitHub credentials. Notably, the campaign rarely yielded persistent cloud or production credentials, indicating that modern CI/CD safeguards—such as required contributor approvals and scoped token permissions—are effective at protecting high‑profile repositories.

Implications and Recommended Mitigations
The convergence of credential‑stealing worms, LLM proxy abuse, and workflow‑trigger exploitation underscores the need for layered defenses across the software development lifecycle. Organizations should:

1. Hardening Developer Environments – Enforce short‑lived, least‑privilege npm and cloud tokens; rotate secrets regularly; and store them in secure secret managers rather than plaintext files.
2. scrutinizing postinstall Scripts – Audit package.json for unexpected postinstall, prepare, or install hooks; employ tools that block or warn against script execution during npm ci.
3. Supply‑Chain Integrity Monitoring – Utilize services like Socket, StepSecurity, or similar scanners that detect anomalous package versions, suspicious dependencies, or known malicious hash signatures.
4. CI/CD Security Controls – Require mandatory approvals for workflows that can access secrets; limit the pull_request_target trigger to trusted contributors; and use environment‑protected secrets with strict access policies.
5. Network and Endpoint Detection – Monitor outbound connections to uncommon domains or ICP canisters; flag large uploads to webhook endpoints; and deploy behavioral detection for unusual credential usage patterns.
6. Developer Awareness – Educate teams on verifying package authenticity, checking publisher reputation, and refusing to install packages with unclear provenance or sudden version bumps.

By combining technical controls with vigilant practices, the open‑source community can reduce the success rate of worms like CanisterSprawl and mitigate the broader risk posed by supply‑chain attacks targeting npm, PyPI, and CI/CD pipelines.