Self-Propared Supply Chain Worm Hijacks npm Developer Token Stealing Packages

Cybersecurity researchers have flagged a new set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads via stolen npm developer tokens.

The supply chain worm was discovered by both Socket and StepSecurity companies, with companies tracking activity under the name. CanisterSprawl due to the use of the ICP canister to extract the stolen data, with a trick reminiscent of TeamPCP’s CanisterWorm to make the infrastructure more resistant to degradation.

The list of affected packages is below –

• @automagik/genie (4.260421.33 – 4.260421.40)
• @faiwords/loopback-connector-es (1.4.3 – 1.4.4)
• @faiwords/websocket (1.0.38 – 1.0.39)
• @openwebconcept/design-tokens (1.0.1 – 1.0.3)
• @openwebconcept/theme-owc (1.0.1 – 1.0.3)
• pgserve (1.1.11 – 1.1.14)

The malware is launched during installation with a background installation hook to steal information and secrets from developer environments, then uses stolen npm tokens to push poisoned versions of packages to the registry with a new malicious installation hook to increase the campaign’s reach.

Captured information includes –

• .npmrc
• SSH keys and SSH configuration
• .git-credentials
• .netrc
• cloud certifications for Amazon Web Services, Google Cloud, and Microsoft Azure
• Kubernetes and Docker configuration
• Terraform, Pulumi, and Vault material
• Database password files
• Environment files .env*
• Shell history files

In addition, it tries to access credentials from Chromium-based web browsers and data associated with cryptocurrency wallet applications. Information is output to an HTTPS webhook (“telemetry.api-monitor[.]com”) and ICP canister (“cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io”).

“It also contains the PyPI propagation logic,” Socket said. “The script generates a Python-based payload .pth designed to run when Python starts up, then prepares and loads malicious Python packages with Twine if the required credentials are present.”

“In other words, this isn’t just an authentication hack. It’s designed to turn a vulnerable developer environment into an additional package compromise.”

The disclosure comes as JFrog has revealed that multiple versions of the official Python package “xinference” (2.6.0, 2.6.1, and 2.6.2) have been compromised to include a Base64-encoded payload that downloads a second-tier collector module responsible for harvesting large amounts of infected evidence and secrets.

“The payload opens with the comment ‘# hacked by teampcp,’ the same character tag seen in the latest TeamPCP compromise,” the company said. However, in a post shared on X, TeamPCP denied that they were behind the backlash and said it was the work of a copycat.

Attacks Target npm and PyPI

The findings are the latest additions to a long list of attacks targeting the open-source ecosystem. This includes two malicious packages, each for npm (for health-tools) and PyPI (for node-health), which implement Kubernetes services, but silently install Go-based binaries to establish a SOCKS5 proxy, a reverse proxy, an SFTP server, and a large language machine (LLM) proxy on the victim.

LLM Proxy is an OpenAI-compatible API gateway that accepts requests and directs them to upstream APIs, including Chinese LLM routers such as shubiaobiao.

“Besides providing cheap access to AI, LLM routers like the ones featured here sit on a trust boundary that is easily abused,” said Aikido Security researcher Ilyas Makari. “Because every request goes through the router in clear text, a malicious operator can […] insert malicious tool calls into the responses of coding agents before they reach the client, introduce malicious piping or wrapping | bash payloads in flight.”

Alternatively, the router can be used to extract secrets from request and response bodies, including API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system information.

Another ongoing npm supply chain attack campaign written by Panther impersonated the phone insurance provider Asurion and its subsidiaries, publishing malicious packages (sbxapps, asurion-hub-web, soluto-home-web, and asurion-core) from April 1 to April 8, 2026, containing multiple harvesting stages.

The stolen credentials are issued to the Slack webhook and then to the AWS API Gateway endpoint (“pbyi76s0e9.execute-api.us-east-1.amazonaws[.]com”). On April 7, the AWS filtering URL was said to have been obfuscated using XOR encoding.

Finally, Google-owned cloud security company Wiz has shed light on an artificial intelligence (AI) campaign called prt-scan that systematically used the “pull_request_target” GitHub Actions trigger workflow since March 11, 2026, to steal developer secrets.

The attacker, operating under pre-screened accounts, pre-screened boop, 420tb, 69tf420, elzotebo, and ezmtebo, was found to search the collections using a trigger, fork those repositories, create a branch with a predefined goal (ie, prt-scan-{12-chars’) that includes the wrong file released during CI, open pull request, then steals developer credentials when the workflow is started and publishes a malicious package version when npm tokens are received.

“Out of over 450 exploit attempts analyzed, we saw a success rate of <10%," Wiz researchers said. "In most cases, successful attacks were against small hobbyist projects, and only exposed GitHub's ephemeral workflow credentials. For the most part, this campaign did not give the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring a few exceptions."

“The campaign shows that while the pull_request_target vulnerability is still highly exploitable, modern CI/CD security practices, particularly donor authorization requirements, are effective in protecting high-profile repositories.”