A sophisticated new threat known as CanisterSprawl has recently compromised 16 npm packages, racking up over 13,000 weekly downloads by targeting the heart of the JavaScript ecosystem. Unlike standard data stealers, this malware operates as a self-propagating worm that specifically hunts for npm publication tokens within a victim's environment. Once a developer's environment is breached, the script automatically injects malicious code into the user's own projects and republishes them under new versions, effectively using legitimate accounts to spread the infection further across the repository.
The payload is designed for comprehensive data exfiltration, scanning systems for sensitive API keys, cloud service credentials, and private tokens that could lead to broader infrastructure compromises. Beyond server-side secrets, CanisterSprawl also attempts to extract sensitive data from browser-based cryptocurrency wallets, making it a dual threat to both enterprise security and personal assets. Security researchers at BleepingComputer report that the malware focuses on stealth, silently harvesting credentials while the infected libraries remain active in the developer's build pipeline.
