Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

A self-propagating supply chain worm called CanisterSprawl has compromised multiple npm packages through stolen developer tokens and credentials.

• •Malware triggers during npm package installation via postinstall hooks to steal .npmrc files, SSH keys, git credentials, cloud provider tokens, and infrastructure configuration files
• •Stolen npm tokens are leveraged to push poisoned package versions with new malicious hooks, creating a self-replicating attack mechanism across the ecosystem
• •The campaign includes PyPI propagation capability designed to compromise multiple package managers from a single infected developer environment
• •Related attacks used malicious Kubernetes utility packages to establish LLM proxies that intercept and modify API requests in transit
• •