πŸ’» AppSec

CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems

Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.

4 min read
#supply-chain#npm#worm#teamPCP#credential-theft#developer-security#blockchain-exfiltration

Security researchers at StepSecurity disclosed CanisterSprawl on April 22 2026 β€” a self-propagating npm worm attributed to the TeamPCP threat actor that introduces a novel propagation mechanism into npm supply chain attacks. The campaign compromised at least 16 packages, including pgserve (versions 1.1.11–1.1.13) and @automagik/genie, by injecting a malicious postinstall hook that executes automatically during npm install.

CanisterSprawl is distinct from TeamPCP’s earlier @bitwarden/cli npm typosquat (also April 22) and Checkmarx CI/CD campaigns. This campaign targets different packages and introduces automation that expands the attack without requiring continued attacker intervention.

How It Works

The postinstall hook executes a three-stage attack:

Stage 1 β€” Credential harvest. The hook scans the development environment for high-value secrets:

  • npm publish tokens (~/.npmrc, CI/CD environment variables)
  • Cloud provider credentials: AWS ~/.aws/credentials, Azure ~/.azure/, GCP ~/.config/gcloud/
  • SSH private keys from ~/.ssh/
  • CI/CD pipeline secrets: GitHub Actions, GitLab CI, CircleCI, Jenkins environment variables
  • AI tool configurations including ~/.claude.json, ~/.cursor/, and VSCode authentication tokens

Stage 2 β€” Exfiltration to an ICP blockchain canister. All harvested data is exfiltrated to Internet Computer Protocol (ICP) canister cjn37-uyaaa-aaaac-qgnva-cai. Using a blockchain canister as the exfiltration endpoint is a deliberate operational security choice: the canister is decentralised, cannot be seized by domain takedown or hosting provider action, and persists independently of whether the malicious npm packages are removed from the registry.

Stage 3 β€” Self-propagation. Using the harvested npm publish tokens, the worm automatically publishes a new version of every other package owned by the compromised developer, injecting the same malicious postinstall hook. A developer with 15 published packages becomes a propagation vector for all 15 within minutes of their credentials being stolen β€” without any further attacker involvement.

Scope and Attribution

At time of disclosure, StepSecurity confirmed 16 compromised packages. Because self-propagation uses stolen publish tokens before victims notice, the true scope may be larger. Affected packages span utility libraries, ORM wrappers, and developer tooling, with combined weekly downloads in the low tens of thousands β€” smaller in aggregate than the Axios attack, but more targeted toward developer-toolchain-adjacent packages where CI/CD credential exposure is most valuable.

StepSecurity attributes CanisterSprawl to TeamPCP based on shared ICP canister infrastructure, code-level overlaps with earlier TeamPCP campaigns, and the actor’s established pattern of targeting developer credential stores rather than end-user deployments.

Why Blockchain Exfiltration Changes the Threat Model

Earlier npm supply chain attacks exfiltrated credentials to Discord webhooks, Pastebin endpoints, or attacker-controlled web servers β€” all of which can be neutralised by the security community or hosting providers acting on abuse reports. A blockchain canister on ICP is immutable and decentralised: even after the malicious packages are removed and the campaign is publicly disclosed, harvested credentials remain accessible to the attacker at the same endpoint indefinitely.

This means organisations that installed affected package versions cannot rely on public disclosure or npm package removal as evidence that the threat has been contained. Credential rotation is required regardless of how quickly the malicious packages were identified.

  • Audit package manifests for pgserve, @automagik/genie, and any package with an unexpected postinstall script β€” run npm explain <package> or npx lockfile-lint to surface anomalous postinstall entries in node_modules.
  • Check for ICP canister exfiltration in egress monitoring logs: outbound HTTPS to *.icp0.io or *.ic0.app from developer workstations, CI/CD agents, or container build environments is an indicator of compromise.
  • Rotate all credentials from any environment that ran an affected package version β€” npm publish tokens, cloud credentials (AWS/Azure/GCP), SSH keys, and all CI/CD pipeline secrets.
  • Audit downstream artefacts and deployed packages built in compromised environments for injected dependencies.
  • Enforce lifecycle script restrictions using private registry policies or tools like npx audit-ci that block or require approval for postinstall scripts from unapproved packages.
  • Scope npm publish tokens per-package rather than account-wide β€” limiting token scope reduces the blast radius of credential theft from a single compromised postinstall execution.

Share this article