A Self-Spreading npm Worm Is Stealing Developer Credentials
Security researchers have uncovered a new supply chain attack targeting the npm (Node Package Manager) ecosystem that goes beyond a typical package compromise. Unlike most npm malware campaigns that rely on a single poisoned package to spread, this attack features a self-spreading mechanism — once a developer installs an infected package, the malware attempts to steal their npm authentication tokens and use those credentials to publish new infected versions of other packages the victim maintains.
The result is a worm-like propagation model that can spread laterally through the npm registry, potentially compromising hundreds or thousands of packages before being detected and removed.
How the Attack Works
The attack chain combines credential theft with autonomous propagation:
| Stage | Description |
|---|---|
| Initial Infection | Developer installs a malicious or compromised package |
| Token Harvesting | Malware locates and exfiltrates npm auth tokens from ~/.npmrc |
| Account Takeover | Stolen tokens are used to authenticate as the victim developer |
| Propagation | Malware publishes malicious updates to packages the victim maintains |
| Persistence | Each new infected package extends the campaign's reach |
The attack is particularly effective because npm authentication tokens stored in ~/.npmrc typically have broad publish permissions across all packages the developer owns. A single stolen token can be used to backdoor an entire developer's portfolio of open source packages.
Targeting Developers Through Dependency Chains
This attack exploits the trust relationships inherent in the npm ecosystem. Developers routinely install packages from the registry without inspecting source code, trusting that packages from established maintainers are safe. By hijacking maintainer accounts, the attackers bypass the normal suspicion threshold applied to unknown packages.
Key characteristics of the campaign:
- Targets
~/.npmrc— the standard location for npm authentication credentials on Linux, macOS, and Windows - Exfiltrates tokens via HTTP to attacker-controlled infrastructure
- Selectively publishes to packages with high download counts to maximize spread
- Uses legitimate npm CLI to publish infected updates, making the activity appear normal in registry logs
- Adds obfuscated postinstall scripts that execute on package installation in victim environments
Scope and Impact
Supply chain attacks that spread through stolen developer credentials represent an evolution in npm ecosystem threats. Previous high-profile npm attacks — including the event-stream poisoning in 2018 and the ua-parser-js compromise in 2021 — relied on manual takeover of individual accounts or abandoned packages. A self-spreading worm significantly amplifies the potential blast radius.
If a widely-used package maintainer's token is stolen, their packages could be trojaned before the maintainer is even aware. Downstream users installing routine dependency updates would receive malicious code.
Immediate Actions for Developers
Rotate npm Authentication Tokens
# Log out and generate a new token
npm logout
npm login
# Revoke all existing tokens via npm website or CLI
npm token list
npm token revoke <token-id>
# Review active tokens at: https://www.npmjs.com/settings/tokensAudit Your ~/.npmrc
# Check what tokens are stored
cat ~/.npmrc
# Review for unexpected entries
# Token format: //registry.npmjs.org/:_authToken=<token>Enable Two-Factor Authentication on npm
# Enable 2FA for package publishing
npm profile enable-2fa auth-and-writes
# This requires a TOTP code for all publish operations
# Even if a token is stolen, 2FA prevents unauthorized publishingReview Recently Published Package Versions
If you maintain npm packages, check your recent publish history:
# Check recent versions of your package
npm view <your-package-name> versions --json | tail -5
# Review what was published and when
npm view <your-package-name> time --jsonDefensive Recommendations for Organizations
Organizations consuming npm packages should implement additional controls:
- Pin dependencies to exact versions (
5.2.1instead of^5.2.1) to prevent unexpected updates - Use a private npm registry with a curated allow-list of approved packages
- Implement npm audit in CI/CD pipelines to catch known-malicious packages
- Monitor for unexpected network connections from Node.js processes at runtime
- Review
package-lock.jsonchanges carefully during code review — unexpected version bumps are a red flag
Broader Supply Chain Context
This attack joins a growing list of npm supply chain incidents in 2026. The self-spreading mechanism echoes the canisterworm blockchain C2 npm worm documented in March 2026, suggesting threat actors are increasingly investing in persistence and propagation mechanisms for npm-based attacks.
The npm registry's security team has been notified and is working to identify and remove infected packages. Affected maintainers are being contacted to rotate credentials and review their published packages for unauthorized changes.