CanisterWorm self-propagation across npm packages
Malware Activity
Summary
Hide ▲
Show ▼
A self-propagating npm supply-chain worm tracked as CanisterSprawl is abusing stolen developer npm tokens to spread through compromised packages. Socket and StepSecurity say the malware uses a postinstall hook to steal secrets, then republishes poisoned versions and exfiltrates data through an ICP canister and telemetry.api-monitor[.]com. The affected packages named in the report include @automagik/genie, @fairwords/loopback-connector-es, @fairwords/websocket, @openwebconcept/design-tokens, @openwebconcept/theme-owc, and pgserve.
Related Happenings
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Timeline
-
21.03.2026 09:28 3 articles · 2mo ago
CanisterWorm self-propagation in npm packages
Initial DisclosureCanisterWorm is a previously undocumented self-propagating worm tied to follow-on activity after the Trivy supply chain attack, with suspected TeamPCP involvement. It has compromised 47 npm packages, uses an ICP canister as a dead drop resolver, spreads through a postinstall hook and stolen npm tokens, establishes persistence with a systemd user service masquerading as PostgreSQL tooling, and a later variant in @teale.io/eslint-config versions 1.8.11 and 1.8.12 self-propagates without manual intervention.
Show sources
- Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages — thehackernews.com — 21.03.2026 09:28
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper — thehackernews.com — 23.03.2026 10:31
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — thehackernews.com — 22.04.2026 20:33