{"id":681,"date":"2026-04-22T17:59:47","date_gmt":"2026-04-22T17:59:47","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=681"},"modified":"2026-04-22T17:59:47","modified_gmt":"2026-04-22T17:59:47","slug":"self-propagating-supply-chain-worm-hijacks-npm-packages-to-steal-developer-tokens","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=681","title":{"rendered":"Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhIdq7inTckksldfLXx5JPM1spcmvj-W0C5jvCNGSfvUlWfhmFERkPhE9WNRTkTib4uZFsKKn2lBvxnhsZbEaOnGKI4pkSKu8kpyBn7VEsY3BbVN5ZklAoliWNZC-b526mJbr5xiYxKwRFXB8pnV2K-H5ww5mG3_1GrWjgvrsnqJ2EJu1gZJ15-D29njRY9\/s1700-e365\/npm.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens.<\/p>\n<p>The supply chain worm has been detected by both <a href=\"https:\/\/socket.dev\/blog\/namastex-npm-packages-compromised-canisterworm\">Socket<\/a> and <a href=\"https:\/\/www.stepsecurity.io\/blog\/pgserve-compromised-on-npm-malicious-versions-harvest-credentials\">StepSecurity<\/a>, with the companies tracking the activity under the name <strong><a href=\"https:\/\/socket.dev\/supply-chain-attacks\/canistersprawl\">CanisterSprawl<\/a><\/strong> owing to the use of an <a href=\"https:\/\/dashboard.internetcomputer.org\/canister\/cjn37-uyaaa-aaaac-qgnva-cai\">ICP canister<\/a> to exfiltrate the stolen data, in a tactic reminiscent of TeamPCP&#8217;s CanisterWorm to make the infrastructure resilient to takedowns.<\/p>\n<p>The list of affected packages is below &#8211;<\/p>\n<ul>\n<li>@automagik\/genie (4.260421.33 &#8211; 4.260421.40)<\/li>\n<li>@fairwords\/loopback-connector-es (1.4.3 &#8211; 1.4.4)<\/li>\n<li>@fairwords\/websocket (1.0.38 &#8211; 1.0.39)<\/li>\n<li>@openwebconcept\/design-tokens (1.0.1 &#8211; 1.0.3)<\/li>\n<li>@openwebconcept\/theme-owc (1.0.1 &#8211; 1.0.3)<\/li>\n<li>pgserve (1.1.11 &#8211; 1.1.14)<\/li>\n<\/ul>\n<p>The malware is triggered during install time via a postinstall hook to steal credentials and secrets from developer environments, and then leverage the stolen npm tokens to push poisoned versions of the packages to the registry with a new malicious postinstall hook so as to expand the reach of the campaign.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-security-guide-d-1\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRxP56rpa2W0O_0yc0xgs5l2r4FRV4Wiuq3IqWuFdsd_4g1c3oRVXoHtW9gxo8ObuxmyjqkAf3cD6N1JbVDos7QX99ZHtmeVrg-FUzSnMZLTl1ZFyiSkpqQiw6BcHXz52jr3s42xWEDFOpwWK6HgXOqscGMNkhA5pZK7h6zVV4dpDaLfgy17TidZXVrtUB\/s728-e100\/nudge-d-1.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Captured information includes &#8211;<\/p>\n<ul>\n<li>.npmrc<\/li>\n<li>SSH keys and SSH configurations<\/li>\n<li>.git-credentials<\/li>\n<li>.netrc<\/li>\n<li>cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure<\/li>\n<li>Kubernetes and Docker configurations<\/li>\n<li>Terraform, Pulumi, and Vault material<\/li>\n<li>Database password files<\/li>\n<li>Local .env* files<\/li>\n<li>Shell history files<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<p>In addition, it attempts to access credentials from Chromium-based web browsers and data associated with cryptocurrency wallet extension apps. The information is exfiltrated to an HTTPS webhook (\u00abtelemetry.api-monitor[.]com\u00bb) and an ICP canister (\u00abcjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io\u00bb).<\/p>\n<p>\u00abIt also contains PyPI propagation logic,\u00bb Socket said. \u00abThe script generates a Python .pth-based payload designed to execute when Python starts, then prepares and uploads malicious Python packages with Twine if the required credentials are present.\u00bb<\/p>\n<p>\u00abIn other words, this is not just a credential stealer. It is designed to turn one compromised developer environment into additional package compromises.\u00bb<\/p>\n<p>The disclosure comes as JFrog revealed that multiple versions of the legitimate Python package \u00abxinference\u00bb (2.6.0, 2.6.1, and 2.6.2) have been compromised to include a Base64-encoded payload that fetches a second-stage collector module responsible for harvesting a wide range of credentials and secrets from the infected host<\/p>\n<p>\u00abThe decoded payload opens with the comment &#8216;# hacked by teampcp,&#8217; the same actor marker seen in recent TeamPCP compromises,\u00bb the company <a href=\"https:\/\/research.jfrog.com\/post\/xinference-compromise\/\">said<\/a>. However, in a post shared on X, TeamPCP <a href=\"https:\/\/x.com\/pcpcats\/status\/2046927940932260092\">disputed<\/a>they were behind the compromise and claimed it was the work of a copycat.<\/p>\n<h3>Attacks Target npm and PyPI<\/h3>\n<p>The findings are the latest additions to a long list of attacks that have targeted the open-source ecosystem. This includes two malicious packages, each on npm (kube-health-tools) and PyPI (kube-node-health), that masquerade as Kubernetes utilities, but silently install a Go-based binary to establish a SOCKS5 proxy, a reverse proxy, an SFTP server, and a large language model (LLM) proxy on the victim&#8217;s machine.<\/p>\n<p>The LLM proxy is an OpenAI-compatible API gateway that accepts requests and routes them to upstream APIs, including Chinese LLM routers like shubiaobiao.<\/p>\n<p>\u00abBeyond providing cheap access to AI, LLM routers like the one deployed here sit on a trust boundary that is easily abused,\u00bb Aikido Security researcher Ilyas Makari <a href=\"https:\/\/www.aikido.dev\/blog\/gpt-proxy-backdoor-npm-pypi-chinese-llm-relay\">said<\/a>. \u00abBecause every request passes through the router in plaintext, a malicious operator can [&#8230;] inject malicious tool calls into responses of coding agents before they reach the client, introducing malicious pip install or curl | bash payloads mid-flight.\u00bb<\/p>\n<p>Alternatively, the router can be used to exfiltrate secrets from request and response bodies, including API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts.<\/p>\n<p>Another sustained npm supply chain attack campaign <a href=\"https:\/\/panther.com\/blog\/false-claims-an-npm-supply-chain-campaign-impersonates-asurion\">documented<\/a> by Panther has impersonated phone insurance provider Asurion and its subsidiaries, publishing malicious packages (sbxapps, asurion-hub-web, soluto-home-web, and asurion-core) from April 1 through April 8, 2026, containing a multi-stage credential harvester.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The stolen credentials were exfiltrated initially to a Slack webhook and then to an AWS API Gateway endpoint (\u00abpbyi76s0e9.execute-api.us-east-1.amazonaws[.]com\u00bb). By April 7, the AWS exfiltration URL is said to have been obfuscated using XOR encoding.<\/p>\n<p>Last but not least, Google-owned cloud security firm Wiz <a href=\"https:\/\/www.wiz.io\/blog\/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign\">shed light<\/a> on an artificial intelligence (AI)-powered campaign dubbed prt-scan that has systematically exploited the \u00abpull_request_target\u00bb GitHub Actions workflow trigger since March 11, 2026, to steal developer secrets.<\/p>\n<p>The attacker, operating under the accounts testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, and ezmtebo, has been found to search for repositories using the trigger, fork those repositories, create a branch with a pre-defined naming convention (i.e., prt-scan-{12-hex-chars}), inject a malicious payload into a file that&#8217;s executed during CI, open a pull request, and then steal developer credentials when the workflow is triggered and publish a malicious package version if npm tokens are discovered.<\/p>\n<p>\u00abAcross over 450 analyzed exploit attempts, we have observed a &lt;10% success rate,\u00bb Wiz researchers said. \u00abIn most cases, successful attacks were against small hobbyist projects, and only exposed ephemeral GitHub credentials for the workflow. For the most part, this campaign did not grant the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring minor exceptions.\u00bb<\/p>\n<p>\u00abThe campaign demonstrates that while pull_request_target vulnerabilities remain exploitable at scale, modern CI\/CD security practices, particularly contributor approval requirements, are effective at protecting high-profile repositories.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens. The supply&hellip;<\/p>\n","protected":false},"author":1,"featured_media":682,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[219,223,774,39,35,1362,571,218,146,821],"class_list":["post-681","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-chain","tag-developer","tag-hijacks","tag-npm","tag-packages","tag-selfpropagating","tag-steal","tag-supply","tag-tokens","tag-worm"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=681"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/681\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/682"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}