CanisterSprawl

...injecting them with the malicious script and republishing them using the victim’s stolen npm credentials. Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available...

The worm then attempts to self-propagate by identifying and installing npm packages the victim can publish, injecting them with the malicious script and republishing them using the victim’s stolen npm credentials.

The most significant development of the week was the end of TeamPCP's 26-day supply chain compromise pause, with three concurrent package compromises landing across npm, PyPI, and Docker Hub between April 21 and 22.

Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available, preparing and uploading malicious .pth-based payloads via Twine.

The worm executes via npm postinstall hook... Trojanized cx-dev-assist ... silently downloaded a second-stage mcpAddon.js payload ... and executed it via the Bun runtime without integrity verification.

Trojanized cx-dev-assist (versions 1.17.0 and 1.19.0) and ast-results (versions 2.63.0 and 2.66.0) VS Code and Open VSX extensions were also identified, which silently downloaded a second-stage mcpAddon.js payload from a backdated commit in the official Checkmarx GitHub repository and executed it via the Bun runtime without integrity verification.

Three consecutive xinference PyPI releases (versions 2.6.0, 2.6.1, and 2.6.2) were published from a bot account with a malicious base64-encoded payload injected directly into init .py, executing automatically on package import.

...injecting them with the malicious script and republishing them using the victim’s stolen npm credentials. Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available...

It combines a multi-cloud credential harvester targeting six distinct secret surfaces, a self-propagating npm worm that re-infects all packages a victim token can publish ... shell RC persistence

...injecting them with the malicious script and republishing them using the victim’s stolen npm credentials. Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available...

It combines a multi-cloud credential harvester targeting six distinct secret surfaces, a self-propagating npm worm that re-infects all packages a victim token can publish ... shell RC persistence

...injecting them with the malicious script and republishing them using the victim’s stolen npm credentials. Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available...

The worm is cross-ecosystem, jumping from npm to PyPI if it discovers a PyPI publish token on the infected host.

The malicious postinstall script observed in this compromise works to harvest secrets from the victim’s environment by searching environment variables for names associated with tokens, credentials, cloud providers, CI/CD systems, registries, LLM platforms and other secrets. It also targets sensitive local system files including .npmrc, .git-credentials, .netrc, .env files, database password files, and files storing SSH keys and cloud credentials.

The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials, exfiltrating to hxxps://whereisitat[.]lucyatemysuperbox[.]space/.

The worm executes via npm postinstall hook, harvests roughly 40 credential categories via regex sweep, and exfiltrates to a dual-channel endpoint that includes an Internet Computer Protocol (ICP) canister.

The worm is cross-ecosystem, jumping from npm to PyPI if it discovers a PyPI publish token on the infected host.

The worm is cross-ecosystem, jumping from npm to PyPI if it discovers a PyPI publish token on the infected host.

The worm then attempts to self-propagate by identifying and installing npm packages the victim can publish, injecting them with the malicious script and republishing them using the victim’s stolen npm credentials.

The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials... The malicious payload ... exfiltrated GitHub tokens, npm tokens, SSH material, AWS/GCP/Azure secrets, GitHub Actions secrets, and AI tooling configuration files.

The worm executes via npm postinstall hook, harvests roughly 40 credential categories via regex sweep... The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials.

The collected data is exfiltrated to an HTTPS webhook as well as an Internet Computer Protocol (ICP) canister that serves as a “dead-drop” command and control (C2) channel, Socket said.

It combines ... a GitHub commit dead-drop C2 channel with RSA-signed command delivery

The malicious payload contained the string "Shai-Hulud: The Third Coming" ... and exfiltrated GitHub tokens, npm tokens, SSH material, AWS/GCP/Azure secrets, GitHub Actions secrets, and AI tooling configuration files to public GitHub repositories created under victim accounts.