A highly automated npm supply chain campaign, dubbed “CanisterWorm,” in which threat actors steal npm access tokens and weaponize legitimate publisher accounts at scale.