1 article
Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.