Cybersecurity researchers have detected a new self-propagating worm in the npm ecosystem. Dubbed CanisterSprawl, this attack uses stolen developer tokens to compromise packages and spread automatically. Socket and StepSecurity warn that the threat is already active, leveraging leaked credentials to infect repositories and steal data via an ICP container.
Self-propagation mechanism in the supply chain 🧬
The worm operates through stolen npm credentials, allowing attackers to publish malicious versions of legitimate packages. Once installed, the malicious code searches for additional tokens in the developer's environment to infect new projects. The ICP container acts as a server for extracting stolen data. Socket and StepSecurity point out that the spread is automatic and can compromise the entire software supply chain if affected tokens are not revoked.
Your npm token, the neighbor's master key 🔑
It turns out that leaving your npm token in a public repository is like leaving your car keys with the windows down. Attackers not only get in but invite the whole neighborhood to use your vehicle. CanisterSprawl is not just any worm: it's the annoying cousin who shows up at the code party, steals the credentials, and leaves without paying the round. Remember: if you don't rotate your tokens, someone else will rotate them for you.