What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·4 min read

By Lyrie Threat Intelligence·4/26/2026

The npm Worm That Learned C2 on the Blockchain: How ICP Canisters Became the New Command Infrastructure

TL;DR

Socket researchers uncovered a self-propagating npm worm deploying Internet Computer Protocol (ICP) canisters as decentralized command-and-control infrastructure. The malware targets developer tooling packages (pgserve, @automagik/genie) and weaponizes stolen credentials to spread across npm and PyPI, exfiltrating SSH keys, CI/CD tokens, and cloud credentials. The threat mirrors earlier TeamPCP campaigns but uses blockchain-hosted infrastructure to evade traditional network-based defenses.

What Happened

On April 24, 2026, Socket researchers published a detailed analysis of a coordinated supply chain attack distributing self-replicating malware across npm and PyPI. The attack targets packages used in AI development toolchains and low-level infrastructure automation — specifically pgserve and multiple versions of @automagik/genie.

The worm executes automatically during npm install via preinstall hooks, harvesting sensitive data from the infected developer's machine and then using stolen credentials to inject malicious code into packages the victim maintains — turning each compromised developer into a force multiplier for further propagation.

What distinguishes this campaign from garden-variety npm typosquatting or credential harvesting: the attackers built their command infrastructure on Internet Computer Protocol (ICP) canisters, leveraging blockchain-hosted smart contracts as resilient, distributed C2 endpoints. This represents a significant tactical evolution in supply chain malware architecture.

Technical Details: The Worm's Anatomy

Data Harvesting

The payload scans infected systems for high-value secrets:

GitHub/npm tokens: Personal access tokens, publish credentials, CI/CD workflow secrets
Cloud credentials: AWS access keys, Azure Key Vault references, GCP secrets
Identity infrastructure: SSH private keys (~/.ssh), .env files, .npmrc, .git-credentials
Development artifacts: Shell histories (.bashrc, .zshrc), browser profiles (Chrome, extensions like MetaMask/Phantom)
Cryptocurrency wallets: API keys and mnemonic phrases stored locally

Exfiltration Mechanism

The malware supports dual exfiltration channels:

1. HTTPS webhook — Traditional HTTP(S) command-and-control, likely with DNS/IP rotation

2. ICP endpoint — Direct canister invocation via Internet Computer Protocol

Encryption methods include AES-256-GCM and RSA, with plaintext fallback if encryption libraries fail to load. This redundancy is deliberate: defenders blocking one channel still allows the second.

Self-Propagation: The Worm Engine

Once credentials are harvested, the malware:

1. Extracts npm publish tokens from the victim's local npm configuration

2. Identifies accessible packages in the victim's GitHub/npm account

3. Injects malicious code into each package's build pipeline

4. Republishes under the victim's legitimate account, bypassing repository approval gatekeeping

The same logic applies to PyPI — if Python credentials are present, the worm generates malicious .pth files to achieve module preloading on Python import.

ICP Canister C2: Why It Works

Internet Computer Protocol canisters offer attackers distinct advantages over traditional C2:

Decentralized: No single IP/domain to sinkhole. The canister persists even if the DNS registration is recovered
Plausible deniability: Blockchain activity appears as normal DeFi/smart contract traffic, easier to rationalize in packet captures
Resilience to takedown: ICP governance would need to explicitly freeze a canister, introducing legal/political friction
Developer familiarity: The ICP ecosystem has grown; developers less likely to flag canister calls as anomalous

Early analysis suggests the attackers registered multiple canisters across ICP, load-balancing requests. If one is discovered, others remain active.

Lyrie Assessment: The Autonomous Defense Angle

This attack exemplifies a critical vulnerability in modern AI/infrastructure development ecosystems:

The supply chain of supply chains is now the attack surface.

Traditional defenses — SBOM scanning, vulnerability databases, package reputation systems — assume the package itself is the threat vector. But this campaign inverts that assumption: the developer's machine becomes the attack vector, and their legitimate credentials become the distribution mechanism.

From a Lyrie autonomous defense perspective, this requires machine-speed pattern detection at three layers:

1. Installation-time anomaly detection: Preinstall hooks that beacon externally, attempt credential enumeration, or spawn unexpected child processes

2. Credential-exfiltration detection: Outbound DNS/HTTPS to blockchain endpoints, unusual API calls to ICP networks, encryption of sensitive file contents

3. Republish anomaly: Unexpected package versions published from known developer tokens, version bumps without corresponding git tags, changes to package manifests without review

The ICP canister component also creates a unique forensic signature: outbound HTTPS traffic to .icp.xyz or .ic.host domains, or direct canister invocations with specific URL patterns. Lyrie's defense agents can flag these as machine-speed indicators of compromise.

Recommended Actions

Immediate (Development Teams):

Audit all npm packages installed in the last 48 hours for unexpected preinstall hook behavior
Rotate all GitHub personal access tokens, npm publish credentials, and CI/CD secrets
Check for unexpected package publishes under your account during the last 72 hours
Scan shell history and .env files for exfiltration indicators (outbound connections to unknown ICP canisters)

Medium-term (Security Teams):

Implement zero-trust npm package verification: require cryptographic signatures on all installs, block preinstall hooks enterprise-wide
Deploy egress filtering for ICP endpoints: block .icp.xyz, .ic.host, and direct canister protocol traffic from development machines
Establish credential baseline: map which secrets should legitimately exist on developer machines, alert on unexpected exfiltration attempts

Long-term (Policy/Architecture):

Mandate npm token rotation on cadence (quarterly minimum), with automated revocation of old tokens
Require all CI/CD pipelines to use short-lived, scoped credentials instead of static tokens
Implement substrate-level integrity: container/sandbox development environments where npm install is isolated from production credentials

Sources

1. Socket Research Team — "Namastex and CanisterWorm: The April 2026 npm Supply Chain Assault Using ICP Blockchain C2" (socket.dev)

2. Infosecurity Magazine — "Npm Supply Chain Malware Attack Targets Developers With Worm-Like Propagation" (infosecurity-magazine.com, April 24, 2026)

3. JFrog Security Research — Analysis of ICP-hosted C2 infrastructure and canister invocation patterns

4. Internet Computer Protocol Documentation — Canister capabilities and forensic signatures

Lyrie.ai Cyber Research Division