cybersecurity researchers have identified a new series of compromised software packages that are being used to deliver a self-propagating worm. This malicious software spreads by hijacking developer authentication tokens from the npm registry, a critical hub for open-source JavaScript code. The discovery was made public this week by security firms Socket and StepSecurity, which are tracking the campaign under the name “CanisterSprawl.”
The primary function of the worm is to steal npm access tokens from developers’ systems. Once a token is compromised, the attackers use it to automatically publish new malicious packages or modify existing ones. This creates a self-sustaining cycle of infection that spreads through the software supply chain.
Mechanism of the Attack
The attack begins when a developer inadvertently installs one of the initial malicious packages. These packages contain scripts that execute upon installation. The scripts search the developer’s computer for configuration files that hold npm authentication tokens.
Upon stealing a token, the malware communicates with a command and control server hosted on an Internet Computer Protocol (ICP) canister. This server is used to exfiltrate the stolen credentials. The attackers then use these tokens to automate the process of publishing further malicious packages to the npm registry, impersonating the compromised developer accounts.
Discovery and Tracking
The campaign was detected by the security teams at Socket, which specializes in supply chain security, and StepSecurity. Their joint analysis revealed the worm’s self-propagating nature and its use of an ICP canister for data theft, leading to the moniker “CanisterSprawl.”
Researchers note that the attack is sophisticated in its automation. It does not rely on a single point of failure but is designed to continuously expand its reach by leveraging each new stolen token to create additional attack vectors. This makes containment particularly challenging.
Impact on the Software Supply Chain
This incident highlights a significant vulnerability in the open-source software ecosystem. The npm registry is foundational to modern web development, with millions of developers relying on it daily. A compromise of developer tokens undermines the trust and integrity of the entire supply chain.
Malicious packages inserted into the registry can be picked up by unsuspecting developers and integrated into commercial applications and services. This poses a direct risk of data theft, backdoor installation, and further malware distribution to end-users.
Recommended Mitigations for Developers
Security experts advise developers to take immediate steps to protect their accounts and systems. They recommend regularly auditing and rotating npm authentication tokens. Using two-factor authentication for npm accounts is considered a critical security measure.
Developers should also employ security tools that can scan for suspicious package behaviors, such as scripts that attempt to access sensitive files. Vigilance in reviewing package dependencies and their maintainers is essential before installation.
Ongoing Response and Next Steps
The npm security team has been notified and is actively working to take down the identified malicious packages. The investigation is ongoing to determine the full scope of the compromise and identify all affected accounts.
In the coming days, further details about the campaign’s infrastructure and indicators of compromise are expected to be released by the researching firms. The broader security community is likely to increase scrutiny on packages utilizing ICP or similar decentralized hosting services for command and control functions. Organizations are advised to review their software bills of materials for any dependencies linked to the known malicious packages.
Source: Adapted from original security disclosures
