Npm package ecosystem CanisterWorm exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Attackers expanded the Trivy compromise into a self-propagating CanisterWorm wave that hit dozens of npm packages, creating broad downstream supply-chain risk. The abuse used stolen data and widened the blast radius beyond the original compromise. The activity was reported in March 2026 and affected the npm package ecosystem.
Related Happenings
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Vpmdhaj npm preinstall credential-harvest campaign
Campaign
H score40
First: 29.05.2026 12:11
Last: 29.05.2026 12:11
Sources 1
About this happening:
A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Vpmdhaj npm preinstall credential-harvest campaign
CampaignAbout this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
H score15
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaAbout this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
Timeline
-
23.03.2026 10:31 2 articles · 3mo ago
CanisterWorm spreads through compromised npm packages
Campaign Scope UpdateAttackers leveraged stolen data from the Trivy compromise to compromise dozens of npm packages and distribute the self-propagating CanisterWorm worm, widening supply-chain risk across developer environments that depend on npm.
Show sources
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper — thehackernews.com — 23.03.2026 10:31
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper — thehackernews.com — 23.03.2026 10:31