Signal

New npm supply chain worm steals developer tokens amid rising malware campaigns

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-22 17:33 UTCUpdated 2026-04-23 14:00 UTC

rss

cveexploitsmalwarethreat_actorssecurity_toolingincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (4)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Mandiant Blog · News · cloud.google.com · 2026-04-23 14:00 UTC

Malicious pgserve, automagik developer tools found in npm registry

CSO Online · News · csoonline.com · 2026-04-23 00:28 UTC

Another npm supply chain worm is tearing through dev environments

The Register Security · News · go.theregister.com · 2026-04-22 22:34 UTC

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

The Hacker News · News · thehackernews.com · 2026-04-22 17:33 UTC

View all evidence

Overview

Security researchers have uncovered a self-propagating supply chain worm targeting npm packages that steals developer tokens and credentials. Named CanisterSprawl, the worm spreads through compromised packages by exfiltrating data via an ICP canister.

Score total

1.38

Momentum 24h

4

Posts

4

Origins

4

Source types

1

Duplicate ratio

0%

Why now

The worm and malicious packages were detected recently, indicating active ongoing attacks.
High download counts of malicious npm packages increase the risk to many developers.
UNC6692’s recent campaign highlights the persistent threat of social engineering in 2026.

Why it matters

Supply chain worms in npm threaten the integrity of developer environments and software supply chains.
Malicious packages can steal critical credentials, risking cloud infrastructure and crypto assets.
Social engineering campaigns like UNC6692 show attackers’ evolving tactics to breach enterprises.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

A self-propagating npm supply chain worm named CanisterSprawl steals developer tokens and spreads through compromised packages.
Malicious versions of developer tools pgserve and automagik in the npm registry steal credentials and propagate malware.
Threat actor UNC6692 uses social engineering and custom malware to infiltrate enterprise environments.

How sources frame it

The Hacker News: neutral
CSO Online: neutral
Mandiant Blog: neutral

All evidence

All evidence

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Mandiant Blog · cloud.google.com · 2026-04-23 14:00 UTC

Malicious pgserve, automagik developer tools found in npm registry

CSO Online · csoonline.com · 2026-04-23 00:28 UTC

Another npm supply chain worm is tearing through dev environments

The Register Security · go.theregister.com · 2026-04-22 22:34 UTC

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

The Hacker News · thehackernews.com · 2026-04-22 17:33 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 4 / 0

Top publishers (this list)

Mandiant Blog (1)
CSO Online (1)
The Register Security (1)
The Hacker News (1)

Top origin domains (this list)

cloud.google.com (1)
csoonline.com (1)
go.theregister.com (1)
thehackernews.com (1)