CanisterWorm hits npm with self-spreading package malware that steals publisher tokens

A new npm supply chain attack called CanisterWorm is compromising legitimate publisher accounts, stealing npm tokens, and then using those credentials to push poisoned package updates into additional namespaces. Security researchers say the malware spreads through malicious postinstall scripts, targets Linux systems for persistence, and abuses compromised publishing access to republish infected packages as trusted updates.

The campaign first came to light through research from Socket and Endor Labs, and JFrog later said it found additional compromised versions that earlier public reports had missed. Socket said that by March 21, 2026, the campaign had expanded to 135 malicious package artifacts spanning more than 64 unique packages, while JFrog said its continuous monitoring uncovered extra infected versions across the same broader operation.

Researchers describe this as a worm-enabled attack, not just another one-off npm compromise. Once a developer installs a tainted package, the malware hunts for npm authentication tokens in local config files and environment variables, then uses those tokens to find packages owned by the victim and publish malicious patch releases under those accounts.

How CanisterWorm spreads

The infection starts during installation. Endor Labs says the malicious packages use a postinstall hook in package.json to run JavaScript automatically after the package is unpacked, without requiring extra user interaction. That code then launches two parallel actions: credential theft and backdoor setup.

Socket and JFrog say the implanted code drops a Python backdoor, persists on Linux through a user-level systemd service named pgmon, and polls an Internet Computer Protocol canister as a dead-drop command channel. The malware writes secondary payloads to /tmp/pglog and tracks state in /tmp/.pg_state, which lets the attacker rotate later-stage payloads without republishing the original malicious package.

The most dangerous stage comes next. JFrog says the worm scans project-level .npmrc files, ~/.npmrc, /etc/npmrc, the NPM_TOKEN and NPM_TOKENS environment variables, and even npm config output for auth tokens. It then queries npm to identify packages maintained by the compromised account, bumps patch versions, and republishes tainted releases with the latest tag.

What researchers have linked to the campaign

Socket said the campaign affected legitimate publisher namespaces including @emilgroup and @teale.io/eslint-config, while JFrog said its work identified new compromised versions that earlier disclosures had not listed. JFrog’s newly identified versions include @emilgroup/discount-sdk 1.5.1, @emilgroup/document-uploader 0.0.10, @emilgroup/docxtemplater-util 1.1.2, @emilgroup/numbergenerator-sdk-node 1.3.1, @emilgroup/partner-portal-sdk 1.1.1, @emilgroup/setting-sdk 0.2.1, @emilgroup/task-sdk 1.0.2, and @emilgroup/task-sdk-node 1.0.2.

Endor Labs published a longer affected-package list that includes packages such as @leafnoise/mirage 2.0.3, jest-preset-ppf 0.0.2, eslint-config-service-users 0.0.3, @opengov/form-renderer 0.2.20, @airtm/uuid-base32 1.0.2, and multiple @emilgroup packages, along with several @teale.io/eslint-config versions.

Why this attack stands out

This campaign blends familiar npm malware tactics with automated propagation. Endor Labs says the malware hijacks the victim’s own publishing credentials and uses them to infect that developer’s software portfolio, while Socket says later CanisterWorm releases refined the process and published compromised releases as latest to increase the odds of downstream installation.

That turns one compromised machine into a launch point for a much wider software supply chain event. Instead of waiting for a new victim to stumble onto a typosquatted package, the attacker can hijack legitimate maintenance channels and ride existing trust relationships across projects and teams.

Immediate actions for developers and security teams

Researchers say anyone who installed one of the identified malicious versions should assume compromise and respond fast. JFrog’s remediation guide says teams should rotate all npm publishing tokens and CI/CD secrets available on the affected host, stop and disable the pgmon service on Linux, remove the service file and payload artifacts, delete node_modules, clear the npm cache, pin safe package versions, and reinstall dependencies.

Priority steps:

• Rotate all npm publishing tokens and CI/CD secrets exposed on the infected host.
• Stop and disable the pgmon user service on Linux.
• Remove ~/.config/systemd/user/pgmon.service, ~/.local/share/pgmon/, /tmp/pglog, and /tmp/.pg_state.
• Delete node_modules, clean the npm cache, lock to safe versions, and reinstall.
• Audit package histories and npm logs for unauthorized publishes.

A practical defensive step also exists for future installs. The user-provided draft notes that running npm config set ignore-scripts true globally can block silent postinstall execution, which directly targets the mechanism CanisterWorm uses to launch on install.

FAQ