CanisterWorm self-propagation across npm packages
Malware Activity
Summary
Hide ▲
Show ▼
A self-propagating npm supply-chain worm tracked as CanisterSprawl is abusing stolen developer npm tokens to spread through compromised packages. Socket and StepSecurity say the malware uses a postinstall hook to steal secrets, then republishes poisoned versions and exfiltrates data through an ICP canister and telemetry.api-monitor[.]com. The affected packages named in the report include @automagik/genie, @fairwords/loopback-connector-es, @fairwords/websocket, @openwebconcept/design-tokens, @openwebconcept/theme-owc, and pgserve.
Related Happenings
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Timeline
-
21.03.2026 09:28 3 articles · 3mo ago
CanisterWorm self-propagation in npm packages
Initial DisclosureCanisterWorm is a previously undocumented self-propagating worm tied to follow-on activity after the Trivy supply chain attack, with suspected TeamPCP involvement. It has compromised 47 npm packages, uses an ICP canister as a dead drop resolver, spreads through a postinstall hook and stolen npm tokens, establishes persistence with a systemd user service masquerading as PostgreSQL tooling, and a later variant in @teale.io/eslint-config versions 1.8.11 and 1.8.12 self-propagates without manual intervention.
Show sources
- Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages — thehackernews.com — 21.03.2026 09:28
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper — thehackernews.com — 23.03.2026 10:31
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — thehackernews.com — 22.04.2026 20:33