CanisterSprawl — Self-Propagating npm Worm Installs LLM Proxy Backdoor

AI relevance: The worm installs a covert LLM proxy that routes AI traffic through compromised servers to Chinese LLM APIs — turning victim machines into unauthorized AI reselling infrastructure while exfiltrating tokens, credentials, and model API keys from AI development environments.

What Happened

Two distinct but related supply chain campaigns emerged in late April 2026, both weaponizing npm and PyPI packages to turn developer machines into LLM proxy relay nodes and credential-harvesting platforms.

Campaign 1: kube-health-tools LLM Proxy Backdoor

• Malicious packages kube-health-tools (npm) and kube-node-health (PyPI) masqueraded as Kubernetes utilities.
• Both ship native binaries — a Cython-compiled .so extension (PyPI) and a Node.js addon.node native module (npm) — that execute on import or require().
• The droppers download a stage 2 Go binary to /tmp/.kh, which establishes: a SOCKS5 proxy, a reverse proxy, an SFTP server, and an LLM proxy routing requests to Chinese LLM APIs via sync[.]geeker[.]indevs[.]in.
• Three reverse tunnels expose the victim's LLM proxy (port 4444), SSH server (port 4446), and HashiCorp Vault on port 8200 (Kubernetes secrets store) to the attacker's C2.
• The npm variant includes a ngrok fallback cycling through attacker-controlled accounts for persistent public exposure.
• The dropper then self-destructs: it deletes the binary, temp files, and recursively removes its own package directory from node_modules — leaving no trace within two seconds of execution.
• Compromised servers become relay nodes in what researchers describe as a commercial AI reselling platform, with the attacker able to inject malicious payloads into routed LLM traffic.

Campaign 2: CanisterSprawl Worm

• Tracked by Socket and StepSecurity, CanisterSprawl is a self-propagating worm targeting npm packages. It appeared in compromised versions of pgserve (PostgreSQL server for Node.js) starting April 21.
• A postinstall hook injects a credential-harvesting script that searches for npm publish tokens, bumps patch versions of every package the victim can publish, reinjects itself, and republishes to npm.
• If a PyPI token is found, the worm jumps ecosystems entirely — a cross-platform propagation mechanism.
• Uses an Internet Computer Protocol (ICP) canister as a decentralized, resilient C2 channel — making takedown significantly harder than traditional C2 infrastructure.
• Socket's follow-up investigation linked compromised Namastex.ai packages (@automagik/genie and pgserve) to the same tradecraft: install-time execution, credential theft, off-host exfiltration to canister-backed infrastructure, and self-propagation logic.
• The Namastex payload included an explicit code reference to a TeamPCP/LiteLLM method — linking this campaign to the broader TeamPCP operation.

Why It Matters

• The LLM proxy angle is novel: compromised machines aren't just credential targets — they're weaponized as AI infrastructure relay nodes, with the attacker able to intercept, modify, or inject payloads into LLM traffic.
• The self-propagation mechanism (CanisterSprawl) turns every infected developer machine into a distribution vector for further supply chain compromise, creating exponential spread.
• The ICP canister C2 is architecturally novel — decentralized, permissionless, and nearly impossible to take down through traditional means.
• The self-destructing dropper (deleting its own node_modules directory) defeats standard forensic investigation — a developer running npm ls after the fact would see no evidence of compromise.
• AI/ML teams are high-value targets: they run Kubernetes, use HashiCorp Vault, manage model API keys, and have elevated cloud permissions.

What to Do

• Check for kube-health-tools or kube-node-health in your dependency trees. If found, assume the machine is compromised — the dropper self-destructs but the stage 2 binary persists.
• Search for suspicious processes named node-health-check or binaries at /tmp/.kh.
• If you published pgserve or any Namastex.ai packages — review all published versions and rotate npm/PyPI tokens immediately.
• Rotate all credentials found in environment variables, CI/CD secrets, and cloud configs on potentially affected machines.
• Monitor for unusual outbound connections to geeker[.]indevs[.]in or unknown ngrok tunnels.
• Use package integrity verification (lockfiles, provenance attestation) to detect unauthorized dependency modifications.

Sources

• Aikido — GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
• Socket — Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm
• GitGuardian — Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours
• The Register — Another npm supply chain worm hits dev environments
• BleepingComputer — New npm supply-chain attack self-spreads to steal auth tokens