Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Security researchers have identified a new self-propagating worm, dubbed CanisterSprawl, that hijacks npm packages to steal developer credentials and spread further. The campaign also targets PyPI and exploits GitHub Actions, highlighting growing risks in the open-source ecosystem.
Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens.
The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data, in a tactic reminiscent of TeamPCP's CanisterWorm to make the infrastructure resilient to takedowns.
The list of affected packages is below -
- @automagik/genie (4.260421.33 - 4.260421.40)
- @fairwords/loopback-connector-es (1.4.3 - 1.4.4)
- @fairwords/websocket (1.0.38 - 1.0.39)
- @openwebconcept/design-tokens (1.0.1 - 1.0.3)
- @openwebconcept/theme-owc (1.0.1 - 1.0.3)
- pgserve (1.1.11 - 1.1.14)
The malware is triggered during install time via a postinstall hook to steal credentials and secrets from developer environments, and then leverage the stolen npm tokens to push poisoned versions of the packages to the registry with a new malicious postinstall hook so as to expand the reach of the campaign.
Captured information includes -
- .npmrc
- SSH keys and SSH configurations
- .git-credentials
- .netrc
- cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure
- Kubernetes and Docker configurations
- Terraform, Pulumi, and Vault material
- Database password files
- Local .env* files
- Shell history files
In addition, it attempts to access credentials from Chromium-based web browsers and data associated with cryptocurrency wallet extension apps. The information is exfiltrated to an HTTPS webhook ("telemetry.api-monitor[.]com") and an ICP canister ("cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io").
"It also contains PyPI propagation logic," Socket said. "The script generates a Python .pth-based payload designed to execute when Python starts, then prepares and uploads malicious Python packages with Twine if the required credentials are present."
"In other words, this is not just a credential stealer. It is designed to turn one compromised developer environment into additional package compromises."
The disclosure comes as JFrog revealed that multiple versions of the legitimate Python package "xinference" (2.6.0, 2.6.1, and 2.6.2) have been compromised to include a Base64-encoded payload that fetches a second-stage collector module responsible for harvesting a wide range of credentials and secrets from the infected host.
Source: The Hacker News














