Find notable cyber news and cases, enriched with sources, timelines, and signals.

Npm package ecosystem CanisterWorm exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Attackers expanded the Trivy compromise into a self-propagating CanisterWorm wave that hit dozens of npm packages, creating broad downstream supply-chain risk. The abuse used stolen data and widened the blast radius beyond the original compromise. The activity was reported in March 2026 and affected the npm package ecosystem.

Related Happenings

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
H score40 First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
H score15 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Timeline

  1. 23.03.2026 10:31 2 articles · 3mo ago

    CanisterWorm spreads through compromised npm packages

    Campaign Scope Update

    Attackers leveraged stolen data from the Trivy compromise to compromise dozens of npm packages and distribute the self-propagating CanisterWorm worm, widening supply-chain risk across developer environments that depend on npm.

    Show sources