Monday 06 July 2026 05:41:50 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

Worm in the Code: CanisterWorm Unleashes npm Supply Chain Chaos

Published: 23 March 2026 11:32Category: Cyber Intelligence & Threat TrendsAuthor: SECPULSE

Subtitle: A new, rapidly spreading malware campaign is targeting npm tokens, threatening developers and organizations with credential theft and malicious package proliferation.

In a chilling escalation of software supply chain threats, a newly discovered malware called CanisterWorm is slithering through the npm ecosystem, stealing publishing tokens and transforming trusted packages into silent saboteurs. The campaign, orchestrated by a group known as “TeamPCP,” has already compromised several legitimate SDKs, raising alarms across the developer community and sparking urgent mitigation efforts.

A Worm with a Mission: How CanisterWorm Infects the npm Supply Chain

The attack begins innocuously-when a developer installs an npm package, a seemingly normal postinstall script springs into action. Instead of a harmless setup, this script secretly launches a Python backdoor, embedding itself as a hidden service (“pgmon”) using systemd-user on Linux. This persistence mechanism allows CanisterWorm to survive reboots and evade casual detection.

What sets CanisterWorm apart is its use of Internet Computer Protocol (ICP) canisters as a “dead-drop” command and control channel. Rather than relying on a single server, the malware continuously polls these decentralized canisters for instructions and payloads, making takedown efforts much harder.

The worm’s primary goal: harvest npm credentials. It scours project directories, user profiles, and system-wide config files for the coveted .npmrc files and environment variables like NPM_TOKEN. With these tokens in hand, the worm authenticates as the victim, enumerates all their npm packages, and silently publishes new, malicious versions-incrementing the patch version to avoid suspicion.

The infection quickly snowballs, as each compromised package becomes a new launchpad for further attacks. According to recent threat intelligence, several packages under the @emilgroup namespace-such as discount-sdk and document-uploader-have been identified as breached, though the full scope may extend far beyond.

Containment and Clean-Up: What Developers Must Do Now

Security experts urge immediate action: rotate all npm tokens and CI/CD secrets, eradicate persistence by disabling and deleting the pgmon service, and thoroughly clean infected dependencies by removing node_modules and clearing caches. Critically, developers should disable silent postinstall scripts globally (with npm config set ignore-scripts true) to block similar attacks.

The CanisterWorm incident is a stark reminder that the npm supply chain remains a high-value target for cybercriminals-and that even trusted packages can be weaponized in the blink of an eye.

Conclusion

As CanisterWorm continues its rampage, the developer community faces a hard truth: in the interconnected world of software dependencies, a single compromised token can ignite a wildfire. Vigilance, rapid response, and proactive security hygiene are now more critical than ever to stem the tide of supply chain threats.

WIKICROOK

  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
  • npm Token: An npm token is a secret credential used to authenticate and manage npm packages. If exposed, it can allow attackers to compromise package security.
  • Postinstall Script: A postinstall script runs after software installation and can be exploited by attackers to execute malicious code or alter system settings.
  • Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
  • Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.