Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Attackers expanded the Trivy compromise into a self-propagating CanisterWorm wave that hit dozens of npm packages, creating broad downstream supply-chain risk. The abuse used stolen data and widened the blast radius beyond the original compromise. The activity was reported in March 2026 and affected the npm package ecosystem.

Related Happenings

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

BufferZoneCorp sleeper-package supply chain campaign

Campaign
First: 01.05.2026 12:43 Last: 01.05.2026 12:43 Sources 1

About this happening: The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...

Open Happening

RoshniNaveenaS's account hit by network compromise

Incident
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...

Open Happening

Axios JavaScript NPM package hit by network compromise

Incident
First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: **Axios** suffered a **supply-chain compromise** after malicious versions were published to **NPM**, creating a high-risk exposure for developers and downstream consumers. The mal...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.

Open Happening

Timeline

  1. 23.03.2026 10:31 2 articles · 2mo ago

    CanisterWorm spreads through compromised npm packages

    Campaign Scope Update

    Attackers leveraged stolen data from the Trivy compromise to compromise dozens of npm packages and distribute the self-propagating CanisterWorm worm, widening supply-chain risk across developer environments that depend on npm.

    Show sources
    Open in new tab