Multiple npm packages were compromised by a self-propagating worm that steals developer npm tokens and uses them to push poisoned versions of packages back to the registry — creating an autonomous chain of infection.
This is not a one-time credential stealer — it is a self-replicating supply chain weapon. Every compromised developer environment becomes a new vector for further package poisoning, creating exponential spread across the npm ecosystem.
Any team that installed the affected package versions should treat their environment as fully compromised. The worm steals SSH keys, cloud credentials, browser data, crypto wallets, and more — then spreads itself to new packages automatically.
4.260421.33–40 Compromised
loopback-connector-es
1.4.3–1.4.4 Compromised
websocket
1.0.38–1.0.39 Compromised
design-tokens
1.0.1–1.0.3 Compromised
theme-owc
1.0.1–1.0.3 Compromised
1.1.11–1.1.14 Compromised
⚠ All listed versions contain a malicious postinstall hook that triggers the self-propagating worm. Check your lockfiles and CI/CD pipelines immediately.
The malware is triggered during install time via a postinstall hook — a standard npm feature that allows packages to run arbitrary scripts upon installation. Once triggered, the worm systematically harvests credentials and secrets from the developer's environment.
What makes this campaign uniquely dangerous is its self-propagating nature. After stealing npm tokens, the worm uses them to push poisoned versions of the compromised packages back to the registry, each containing a new malicious postinstall hook — creating an autonomous, ever-expanding chain of infection.
Cross-Ecosystem Propagation
The worm also contains PyPI propagation logic. It generates a Python .pth-based payload designed to execute when Python starts, then prepares and uploads malicious Python packages using Twine if credentials are present — extending the attack surface beyond npm into the entire Python ecosystem.
The worm performs an exhaustive sweep of the developer environment, targeting every category of sensitive data imaginable. Captured information is exfiltrated to both an HTTPS webhook and a decentralized ICP canister — a tactic borrowed from TeamPCP's CanisterWorm to make the infrastructure resilient to takedowns.
Decentralized Infrastructure
The use of an ICP canister for exfiltration is significant. Unlike traditional C2 servers that can be seized or blocked, Internet Computer Protocol canisters are hosted on a decentralized blockchain network — making takedown significantly harder and giving attackers persistent, censorship-resistant data collection.
The CanisterSprawl discovery comes alongside a wave of concurrent supply chain attacks targeting both the npm and PyPI ecosystems, revealing a coordinated escalation in open-source supply chain threats.
TeamPCP / Copycat Attribution
Multiple versions of the legitimate Python package "xinference" (2.6.0–2.6.2) were compromised with a Base64-encoded payload bearing the marker "# hacked by teampcp." TeamPCP has disputed responsibility, claiming a copycat. JFrog confirmed the payload harvests credentials from the infected host.
Kubernetes-Themed Malware
Packages "kube-health-tools" (npm) and "kube-node-health" (PyPI) masquerade as Kubernetes utilities but install a Go binary establishing a SOCKS5 proxy, reverse proxy, SFTP server, and an LLM proxy that routes requests through Chinese LLM routers — enabling prompt injection and secret exfiltration.
Sustained npm Impersonation Campaign
Packages impersonating Asurion (sbxapps, asurion-hub-web, soluto-home-web, asurion-core) published April 1–8 contain multi-stage credential harvesters exfiltrating to Slack webhooks and AWS API Gateway endpoints. By April 7, exfiltration URLs were XOR-encoded.
AI-Powered GitHub Actions Exploit
Google/Wiz discovered an AI-powered campaign systematically exploiting "pull_request_target" GitHub Actions triggers since March 11. Over 450 exploit attempts observed with <10% success rate. Attackers fork repos, inject payloads into CI, and steal credentials when workflows trigger.
| Risk Area | Severity | Description |
|---|---|---|
| Self-Propagation | Critical | Stolen npm tokens are used to publish new poisoned versions automatically. One compromised developer can trigger an exponential chain of package compromises. |
| Mass Credential Theft | Critical | SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes configs, database passwords, .env files, browser data, and crypto wallets are all harvested. |
| Takedown Resistance | Critical | Exfiltration via ICP canister makes the attack infrastructure decentralized and resistant to traditional domain seizure or IP blocking. |
| Cross-Ecosystem Spread | High | PyPI propagation logic means the worm can jump from npm to Python ecosystems if Twine credentials are present — massively expanding the blast radius. |
| LLM Proxy Abuse | High | Related Kubernetes-themed malware deploys LLM proxy routers that can intercept and inject into AI agent requests, enabling supply chain attacks on AI coding assistants. |
| CI/CD Pipeline Exposure | High | GitHub Actions pull_request_target exploits demonstrate that CI/CD workflows remain a viable attack surface at scale, despite low overall success rates. |
--ignore-scripts during installs. Only whitelist scripts from verified packages.