Find notable cyber news and cases, enriched with sources, timelines, and signals.

CanisterWorm self-propagation across npm packages

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 3 articles

Summary

Hide ▲

A self-propagating npm supply-chain worm tracked as CanisterSprawl is abusing stolen developer npm tokens to spread through compromised packages. Socket and StepSecurity say the malware uses a postinstall hook to steal secrets, then republishes poisoned versions and exfiltrates data through an ICP canister and telemetry.api-monitor[.]com. The affected packages named in the report include @automagik/genie, @fairwords/loopback-connector-es, @fairwords/websocket, @openwebconcept/design-tokens, @openwebconcept/theme-owc, and pgserve.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Timeline

  1. 21.03.2026 09:28 3 articles · 3mo ago

    CanisterWorm self-propagation in npm packages

    Initial Disclosure

    CanisterWorm is a previously undocumented self-propagating worm tied to follow-on activity after the Trivy supply chain attack, with suspected TeamPCP involvement. It has compromised 47 npm packages, uses an ICP canister as a dead drop resolver, spreads through a postinstall hook and stolen npm tokens, establishes persistence with a systemd user service masquerading as PostgreSQL tooling, and a later variant in @teale.io/eslint-config versions 1.8.11 and 1.8.12 self-propagates without manual intervention.

    Show sources