Canister Sprawl harvests developer secrets

Open-source package managers are software app stores for developers, and this week researchers said one of them was used to spread a worm that steals secrets and republishes itself. Socket and StepSecurity tracked the latest cluster as CanisterSprawl. (socket.dev) (stepsecurity.io) The malware was found in malicious npm releases published on April 21 and April 22, 2026, including pgserve, @automagik/genie, @fairwords/websocket, @fairwords/loopback-connector-es, @openwebconcept/design-tokens and @openwebconcept/theme-owc. Socket said it had tracked 22 affected package artifacts across those names. (socket.dev) (thehackernews.com) A worm is malware that spreads without waiting for a person to manually resend it. In this case, the malicious code ran during package installation through a postinstall hook, stole npm publishing tokens and then used that access to push more poisoned package versions. (socket.dev) (thehackernews.com) The script searched for the kinds of files developers and build systems keep nearby:.npmrc, SSH keys,.git-credentials,.netrc, cloud credentials for Amazon Web Services, Google Cloud and Microsoft Azure, Kubernetes and Docker configs, Terraform and Vault material, local.env files and shell history. StepSecurity said the pgserve payload alone was 1,143 lines long. (thehackernews.com) (stepsecurity.io) Researchers said the stolen data was sent to an HTTPS webhook and to an Internet Computer Protocol canister, a decentralized storage endpoint meant to be harder to take down. That canister-based exfiltration is why the campaign was named CanisterSprawl. (thehackernews.com) (socket.dev) The campaign did not stop at JavaScript. Socket said the malware also carried PyPI propagation logic, generating a Python startup payload and preparing malicious Python packages with Twine if the infected machine already had the right credentials. (socket.dev) (thehackernews.com) That cross-ecosystem pattern showed up elsewhere the same week. JFrog and StepSecurity said versions 2.6.0, 2.6.1 and 2.6.2 of the Python package xinference were compromised on April 22, and the maintainers yanked those releases after users reported suspicious behavior. (research.jfrog.com) (stepsecurity.io) A separate compromise also reached Bitwarden’s command-line tool on npm. StepSecurity said @bitwarden/cli@2026.4.0 used a malicious preinstall hook to launch a 9.7 megabyte credential stealer, and Bitwarden’s GitHub releases show CLI v2026.4.1 was re-released four days ago. (stepsecurity.io) (github.com) Researchers are also tracking related malware in developer extensions, which are add-ons that change how editors like Visual Studio Code work. Socket said on April 25 it had identified 73 cloned Open VSX extensions tied to GlassWorm v2, with at least six already activated to deliver malware. (socket.dev) The common thread is trust in automation. When a package install, a dependency update bot or an editor extension update runs with developer or continuous integration permissions, one poisoned release can expose tokens that open the next door. (socket.dev 1) (socket.dev 2) The immediate fixes are plain but tedious: remove the bad versions, rotate npm, cloud and GitHub credentials, and review build pipelines that allow install scripts or broad GitHub Actions permissions. The latest CanisterSprawl reports show how quickly one compromised workstation or pipeline can turn into more compromised packages. (stepsecurity.io) (socket.dev)