Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month.

Application security vendors Socket and StepSecurity say a self-propagating CanisterWorm-style malware strain hit multiple npm packages tied to Namastex Labs, an agentic AI company. The campaign appears to target specialized developer workflows as opposed to broad consumer npm usage, with compromised packages including:

  • @automagik/genie@4.260421.33 through 4.260421.39
  • pgserve@1.1.11 through 1.1.13
  • @fairwords/websocket@1.0.38 and 1.0.39
  • @fairwords/loopback-connector-es@1.4.3 and 1.4.4
  • @openwebconcept/design-tokens@1.0.3
  • @openwebconcept/theme-owc@1.0.3

Additional malicious versions are still being published and identified by the security shops, and as such the full scope of the supply chain attack remains under investigation.

The compromised pgserve versions were initially published on April 21 at 22:14 UTC, followed by two more malicious releases of the same package later that day, according to StepSecurity.

Socket says this latest worm-enabled security incident shares several similarities with the earlier CanisterWorm infections attributed to TeamPCP following the threat actor's Trivy supply chain attack last month. These were dubbed the CanisterWorm attacks because the attackers used an ICP canister to deliver additional payloads and exfiltrate stolen data.

While the canister used in the Namastex-linked packages is not the exact same one Socket documented in the earlier CanisterWorm campaign linked to TeamPCP, Socket's research team noted 'strong overlap' in attack techniques, tradecraft, and code lineage – but stopped short of attributing the latest npm package infections to TeamPCP.

"In this newly discovered npm incident, the malware uses the same core adversarial methods: install-time execution, credential theft from developer environments, off-host exfiltration, canister-backed infrastructure, and self-propagation logic intended to compromise additional packages," Socket wrote. "The overlap is notable enough on its own, and malicious packages included an explicit code reference to a TeamPCP/LiteLLM method inside the malicious payload."

Specifically, the payload references a "TeamPCP/LiteLLM method" for .pth file injection.

The malware collects tokens, credentials, API and SSH keys, and other secrets for cloud services, CI/CD systems, registries, Kubernetes and Docker configurations, and LLM platforms. It then exfiltrates stolen data to both a conventional webhook and an ICP canister endpoint, using the hardcoded canister ID cjn37-uyaaa-aaaac-qgnva-cai.

Additionally, it attempts to steal browser extension data associated with MetaMask and Phantom, along with local cryptocurrency wallet files including Solana, Ethereum, Bitcoin, Exodus, and Atomic Wallet data.

Plus, it contains logic to extract npm tokens from a developer's machine, identify packages the victim can publish, inject a new payload into those, and then republish the now-malicious packages.

If the malware discovers PyPI credentials on victims' machines, it uses a similar self-propagation method to upload malicious Python packages as well.

"In other words, this is not just a credential stealer," Socket warned. "It is designed to turn one compromised developer environment into additional package compromises." ®