Full Report
Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens. The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data
Analysis Summary
# Tool/Technique: CanisterSprawl
## Overview
CanisterSprawl is a self-propagating supply chain worm discovered in April 2026. It targets software developers by hijacking npm and PyPI packages. The malware’s primary objective is to steal highly sensitive developer credentials and then leverage those credentials (specifically npm and Twine tokens) to automatically publish poisoned versions of legitimate packages. This creates a "worm" effect where one compromised environment leads to the infection of countless downstream users and other developer environments.
## Technical Details
- **Type:** Self-propagating Supply Chain Worm / Infostealer
- **Platform:** Cross-platform (Node.js/npm and Python/PyPI environments)
- **Capabilities:** Credential harvesting, automated package republishing, lateral movement across package registries, use of decentralized infrastructure (ICP canisters) for exfiltration.
- **First Seen:** April 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0002 - Execution]**
- [T1106 - Native API]
- [T1059.006 - Command and Scripting Interpreter: Python]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- [T1552 - Unsecured Credentials]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0011 - Command and Control]**
- [T1102 - Web Service]
## Functionality
### Core Capabilities
- **Credential Harvesting:** Aggressively searches for and exfiltrates `.npmrc`, SSH keys, `.git-credentials`, `.netrc`, cloud provider credentials (AWS, Azure, GCP), Kubernetes/Docker configs, and database password files.
- **Environment Hijacking:** Targets local `.env` files and shell history to find secrets.
- **Browser Theft:** Specifically targets Chromium-based browsers and cryptocurrency wallet extensions.
- **NPM Propagation:** Uses stolen `npm` tokens to push malicious versions of packages the developer has access to, using a `postinstall` hook as the execution trigger.
### Advanced Features
- **Cross-Ecosystem Propagation:** Includes logic to jump from npm to PyPI. It generates a Python `.pth`-based payload (which executes automatically on Python startup) and uses `Twine` to upload malicious Python packages if credentials are found.
- **Resilient Infrastructure:** Uses the Internet Computer Protocol (ICP) "canisters" to store exfiltrated data, making the C2 infrastructure harder for traditional authorities to take down compared to standard domains.
## Indicators of Compromise
### File Names
- `.pth` payloads in Python site-packages directories.
- Malicious `postinstall` scripts in `package.json`.
### Affected npm Packages (Specific Versions)
- `@automagik/genie` (4.260421.33 - 4.260421.40)
- `@fairwords/loopback-connector-es` (1.4.3 - 1.4.4)
- `@fairwords/websocket` (1.0.38 - 1.0.39)
- `@openwebconcept/design-tokens` (1.0.1 - 1.0.3)
- `@openwebconcept/theme-owc` (1.0.1 - 1.0.3)
- `pgserve` (1.1.11 - 1.1.14)
### Network Indicators
- `telemetry.api-monitor[.]com` (Webhook exfiltration)
- `cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io` (ICP Canister exfiltration)
### Behavioral Indicators
- Unexpected `npm publish` or `twine upload` events from developer workstations.
- Scripts accessing sensitive files like `~/.ssh/id_rsa`, `~/.aws/credentials`, or browser profile paths during `npm install`.
## Associated Threat Actors
- While the payload contains comments mentioning **TeamPCP**, the group has publicly disputed involvement, suggesting the work of a **copycat actor** using their tactics.
## Detection Methods
- **Behavioral Detection:** Monitoring for package managers (Node, Python) attempting to read sensitive files outside of their expected scope during installation.
- **Registry Monitoring:** Scanning for sudden, unexpected version jumps in internal or public packages followed by the inclusion of `postinstall` hooks.
- **Network Monitoring:** Alerting on traffic to known ICP (Internet Computer) gateway domains from development environments.
## Mitigation Strategies
- **Token Scoping:** Use granular npm/PyPI tokens (read-only where possible) and implement Two-Factor Authentication (2FA) for all package publishing.
- **Environment Isolation:** Use containers or virtual machines for development to isolate sensitive SSH/Cloud keys from the environment where `npm install` is executed.
- **Disable Postinstall:** Use the `--ignore-scripts` flag when installing untrusted or new packages to prevent hook execution.
- **Secret Management:** Use dedicated secret managers (e.g., HashiCorp Vault) rather than storing credentials in `.env` or configuration files.
## Related Tools/Techniques
- **CanisterWorm:** An earlier variant using ICP canisters for infrastructure.
- **Dependency Hijacking:** The general technique of poisoning upstream dependencies to gain access to downstream environments.