CanisterWorm malware hits npm, PyPI ecosystems

A self-replicating worm is actively compromising npm packages to steal developer tokens.

Sources

2 verified

Location

—

Updated

Thursday, 23 April 2026 at 05:01 UTC

No media · text-only dispatch

Synthesis · 2 sources

A self-replicating supply chain attack is actively compromising npm packages to exfiltrate developer authentication tokens. The malicious code automatically injects itself into newly published packages once a developer machine is infected, creating an autonomous propagation cycle across the JavaScript ecosystem. This worm's ability to autonomously spread through legitimate publishing workflows represents an evolution in supply chain threat vectors. Stolen tokens enable persistent access to package repositories, allowing attackers to poison widely-used dependencies at scale without requiring repeated manual compromise. This campaign appears distinct from the previously reported CanisterWorm malware, which targeted both npm and PyPI ecosystems.

Updates · 1

5d ago🇬🇧 SITREP - Independent OSINT Channel 🇬🇧

A new self-propagating worm specifically targeting npm packages has been identified, distinct from the earlier CanisterWorm campaign. The worm autonomously spreads through developer machines and exfiltrates authentication tokens.

e/eineurope · topic · T-04946cycle Thursday, 23 April 2026 at 05:01 UTC · first reported 5d ago