Cybersecurity researchers have flagged a new set of packages that have been compromised by malicious parties to distribute a self-propagating worm that spreads through stolen developer npm tokens.
The supply chain worm has been detected by both Socket and StepSecurity, and both companies are tracking the activity under the name CanisterSprawl because it used ICP canisters to exfiltrate stolen data, a tactic reminiscent of TeamPCP’s CanisterWorm to increase infrastructure resiliency.
The list of affected packages is below –
@automagik/genie (4.260421.33 – 4.260421.40) @fairwords/loopback-connector-es (1.4.3 – 1.4.4) @fairwords/websocket (1.0.38 – 1.0.39) @openwebconcept/design-tokens (1.0.1 – 1.0.3) @openwebconcept/theme-owc (1.0.1 – 1.0.3) pgserve (1.1.11 – 1.1.14)
The malware is triggered during installation via a post-installation hook and steals credentials and secrets from the developer environment. The stolen npm tokens are then leveraged to expand the scope of the campaign by pushing tainted versions of packages to the registry using new malicious post-install hooks.
Information captured includes:
.npmrc SSH keys and SSH configuration .git-credentials .netrc cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure Kubernetes and Docker configuration Terraform, Pulumi, and Vault materials database password files Local .env* files Shell history files
It also attempts to access credentials and data associated with cryptocurrency wallet extension apps from Chromium-based web browsers. Information is extracted into an HTTPS webhook (‘telemetry.api-monitor’).[.]com”) and ICP canister (“cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0)”[.]Io”).
“It also includes PyPI propagation logic,” Socket said. “This script generates a Python .pth-based payload designed to run on Python startup and, if the necessary credentials are present, uses Twine to prepare and upload a malicious Python package.”
“In other words, this is more than just credential theft. It’s designed to turn one compromised development environment into a compromise of additional packages.”
This disclosure comes after JFrog revealed that multiple versions of the legitimate Python package ‘xinference’ (2.6.0, 2.6.1, and 2.6.2) were compromised and contained a Base64-encoded payload that retrieved a second-stage collector module responsible for collecting a wide range of credentials and sensitive information from infected hosts.
“The decoded payload begins with the comment ‘hacked by #teampcp,’ the same attacker marker seen in the recent TeamPCP breach,” the company said. However, in a post shared on X, TeamPCP disputed that they were behind the infringement and claimed that it was the work of copycats.
Targets of attack are npm and PyPI
This finding is the latest addition to a long list of attacks targeting the open source ecosystem. It contains two malicious packages on npm (kube-health-tools) and PyPI (kube-node-health) that pose as Kubernetes utilities but silently install Go-based binaries to establish SOCKS5 proxies, reverse proxies, SFTP servers, and Large-Scale Language Model (LLM) proxies on victim machines.
LLM Proxy is an OpenAI-compatible API gateway that accepts requests and routes them to upstream APIs, including Chinese LLM routers such as shubiaobiao.
“In addition to providing cheap access to AI, LLM routers like the one deployed here sit on a trust boundary that can be easily exploited,” said Aikido security researcher Ilyas Makari. “Since all requests pass through the router in clear text, malicious operators […] Inject a malicious tool call into the coding agent’s response and introduce a malicious pip install or curl before the coding agent reaches the client. bash the payload during flight. ”
Alternatively, you can use the router to extract secret information such as API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts from the request and response bodies.
Another sustained npm supply chain attack campaign documented by Panther impersonated phone insurance provider Asurion and its subsidiaries and published malicious packages (sbxapps, asurion-hub-web, soluto-home-web, and asurion-core) containing multi-stage credential harvesters from April 1, 2026 to April 8, 2026.
The stolen credentials were first exposed to a Slack webhook and then to an AWS API Gateway endpoint (‘pbyi76s0e9.execute-api.us-east-1.amazonaws)’.[.]com”). By April 7th, the AWS leaked URLs were said to have been obfuscated using XOR encoding.
Last but not least, Google-owned cloud security company Wiz has shed light on an artificial intelligence (AI)-powered campaign known as prt-scan that systematically abused the GitHub Actions workflow trigger “pull_request_target” to steal developer secrets since March 11, 2026.
The attackers, operating under the accounts testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, and ezmtebo, were found to use triggers to search repositories, fork those repositories, create branches with predefined naming conventions (i.e. prt-scan-{12-hex-chars}), and inject malicious payloads into files executed during CI. It opens a pull request, steals developer credentials when a workflow is triggered, and publishes a malicious package version if an npm token is detected.
“Across the 450+ exploit attempts analyzed, we observed a success rate of less than 10%,” Wiz researchers said. “In most cases, the successful attacks were against small hobby projects and only exposed temporary GitHub credentials for workflows. In most cases, the campaigns did not give the attackers access to production infrastructure, cloud credentials, or permanent API keys, with few exceptions.”
“This campaign shows that while the pull_request_target vulnerability remains exploitable at scale, modern CI/CD security practices, particularly poster approval requirements, are effective in protecting high-profile repositories.”
Source link
