CYBERSECURITY researchers have flagged a new self-propagating supply chain worm that compromises npm packages to harvest developer tokens and credentials, spreading via a postinstall hook that activates during installation. The campaign, tracked by Socket and StepSecurity under the name CanisterSprawl, uses an ICP canister to exfiltrate stolen data and mirrors a Worm-like approach to build resilience against takedowns.
The affected packages include @automagik/genie (4.260421.33–4.260421.40), @fairwords/loopback-connector-es (1.4.3–1.4.4), @fairwords/websocket (1.0.38–1.0.39), @openwebconcept/design-tokens (1.0.1–1.0.3), @openwebconcept/theme-owc (1.0.1–1.0.3) and pgserve (1.1.11–1.1.14).
Once installed, the malware steals credentials and secrets from developer environments, including .npmrc, SSH keys, .git-credentials, cloud credentials for AWS, Google Cloud and Azure, Kubernetes and Docker configurations, and local environment files, then pushes poisoned package versions back to the registry with a new postinstall hook to further the spread.
Exfiltration occurs to an HTTPS webhook (telemetry[.]api-monitor[.]com) and the ICP canister (cjn37-uyaaa-aaaac-qgnva-cai[.]raw.icp0[.]io), with additional capability to attempt access to browser credentials and cryptocurrency wallet data.