Npm Supply-Chain Malware Uses Worm-Like Propagation
🐛Researchers from Socket have identified malicious npm packages that execute during installation to harvest credentials and developer artifacts, then attempt worm-like propagation across ecosystems. The payload targets cloud and CI/CD tokens, SSH keys, .npmrc files, browser profiles and crypto wallets, exfiltrating data via HTTPS webhooks and ICP endpoints. It attempts to republish compromised packages using stolen npm tokens and can also generate PyPI payloads via .pth injection. The campaign leverages blockchain-hosted canisters for C2 and remains under active investigation.
