CanisterSprawl: Self-Propagating npm Worm Hits pgserve, Spreads to PyPI, Exfils to ICP Canister

Socket and StepSecurity have disclosed a new supply-chain worm campaign, tracked as CanisterSprawl, that hijacked the popular embedded-Postgres dev tool pgserve on npm and then pivoted into PyPI. First malicious [email protected] hit the registry on April 21, 2026 at 22:14 UTC, followed by 1.1.12 and 1.1.13 the same day. Semgrep, Socket, and StepSecurity all published independent advisories on April 22.

This is not a reflash of the October CanisterWorm/Trivy incident. CanisterSprawl is a new campaign reusing the same ICP-canister exfil tradecraft — hence the name — but with a different initial-access vector, a different package set, and a postinstall payload that has clearly been iterated on.

What got poisoned

The campaign compromised at least four package families across two ecosystems:

• pgserve (npm) — versions 1.1.11, 1.1.12, 1.1.13. Zero-config embedded PostgreSQL used in Node test harnesses and local dev; anything that wires this into CI gets popped on npm install.
• automagik (npm) — the AI agent-orchestration CLI from Namastex.ai. Multiple recent versions pushed by accounts testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, ezmtebo.
• xinference (PyPI) — versions 2.6.0, 2.6.1, 2.6.2. Base64-encoded bootstrapper pulls a second-stage Python collector.
• kube-health-tools (npm) and kube-node-health (PyPI) — typosquats of legitimate Kubernetes health utilities that ship a Go binary opening a SOCKS5 proxy, a reverse tunnel, and an SFTP listener.

How the worm works

The pgserve postinstall hook is a 1,143-line credential harvester. On install it:

1. Scans the filesystem and environment for secrets: .npmrc, ~/.aws/credentials, GCP/Azure service account JSON, GitHub tokens (GH_TOKEN, GITHUB_TOKEN, ~/.config/gh/hosts.yml), SSH keys, .env files, shell history, Git credential helpers, Docker configs, kubeconfigs, database passwords.
2. Enumerates browser artifacts: Chrome password stores, and wallet extension data for MetaMask and Phantom.
3. Slurps local wallet files for Solana, Ethereum, Bitcoin, Exodus, and Atomic Wallet.
4. Encrypts the full collection with RSA-4096 + AES-256 and exfiltrates to telemetry.api-monitor.com and a decentralized Internet Computer Protocol (ICP) canister. The blockchain endpoint cannot be domain-seized.
5. If an npm publish token is found — in env vars or ~/.npmrc — it enumerates packages the token can publish, injects the same payload, bumps the patch version, and pushes. Those packages now execute the same logic on their own npm install.
6. If PyPI credentials are found it switches to a .pth-based Python payload and repeats the propagation trick against whatever that identity can publish.

That sixth step is what makes this a worm rather than a one-shot package compromise. It is also what lets the incident jump ecosystems from a single infected laptop.

Initial access

For automagik and related Namastex.ai packages, Socket attributes the original compromise to a GitHub CI-abuse chain: the operator forks a target repo, creates a branch named prt-scan-{12-hex-chars}, injects a malicious step into something that runs in CI, and opens a pull request. If a maintainer runs the PR’s workflow — or even if the workflow fires automatically on pull_request — secrets in the CI environment (npm tokens, GitHub app tokens) get harvested, and a poisoned package release follows within minutes.

If you have repos that run unreviewed PR workflows with secrets, audit for that branch-name pattern.

Impact

Anyone who ran npm install with pgserve in the dependency tree between April 21 22:14 UTC and the unpublish window should assume full credential compromise for any secret accessible to the install process — including CI runners, which tend to hold the keys to the kingdom. The worm logic means the blast radius is not limited to the initial four packages: any npm identity that ran an affected install and had a publish token present is a candidate for secondary infection, and that identity’s packages may have shipped a poisoned patch release before the attack was flagged.

What to do now

• npm ls pgserve across every project and CI image; pin to <= 1.1.10 or remove.
• Remove automagik, kube-health-tools, and any unexpected Namastex.ai packages.
• pip list | grep -E "xinference|kube-node-health" — if xinference is present, pin off 2.6.0–2.6.2.
• Rotate every secret that was in reach of a CI job or dev laptop running the affected versions: npm tokens (npm token revoke), PyPI tokens, AWS/GCP/Azure keys, GitHub PATs and app installation tokens, SSH keys, database creds.
• Audit npm publish history for the last 72 hours on any account that may have installed these packages — look for unexpected patch-version publishes you did not initiate.
• Block egress to telemetry.api-monitor.com at your perimeter as a retroactive detection pivot; anything that beaconed there is compromised.
• Scan GitHub for branches matching prt-scan-[0-9a-f]{12} in your org.

Sources

• Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — The Hacker News
• Another npm supply chain worm hits dev environments — The Register
• CanisterSprawl: pgserve Compromised on npm — StepSecurity
• Security Advisory: pgserve / xinference / kube-health — Semgrep
• Malicious pgserve, automagik developer tools found in npm registry — InfoWorld
• New npm supply-chain attack self-spreads to steal auth tokens — BleepingComputer