CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister
On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into…
Read the full article2mo ago
You might also wanna read

Injective npm Supply Chain Attack: 18 Packages Backdoored to Steal Crypto Wallet Keys
Step Security·12h ago
.png)
Introducing Secret Exfiltration Protection for GitHub Actions
Step Security·1d ago
.png)
GitHub Secret Scanning Public Monitoring for Enterprises: Coverage and Gaps
Step Security·2d ago

10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
Step Security·7d ago
.png)
StepSecurity Maintained Actions Are Now Free for Public Repos
Step Security·7d ago

Secure Registry now tells you which machine pulled a compromised package
Step Security·8d ago

Comments
Sign in to join the conversation.
No comments yet. Be the first.