A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts.
The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve profitability.
Socket noted that the techniques used for credential theft, data exfiltration, and self-propagation were similar with TeamPCP’s CanisterWorm attacks, but available evidence could not lead to confident attribution.
At publishing time, Socket lists a set of 16 Namastex packages already compromised in the new supply-chain attack:
- @automagik/genie (4.260421.33-4.260421.39)
- pgserve (1.1.11–1.1.13)
- @fairwords/websocket (1.0.38-1.0.39)
- @fairwords/loopback-connector-es (1.4.3-1.4.4)
- @openwebconcept/theme-owc@1.0.3
- @openwebconcept/design-tokens@1.0.3
These packages are used in AI agent tooling and database operations, so the attack targets high-value endpoints rather than aiming for high-volume infections. However, due to its worm-like function, its spread can expand quickly if conditions are met.
The researchers found that the injected malicious code collects sensitive data associated with various secrets, such as tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, registries, and LLM platforms, and Kubernetes/Docket configs.
Additionally, it attempts to extract sensitive data stored in Chrome and Firefox, including cryptocurrency wallets such as MetaMask, Exodus, Atomic Wallet, and Phantom.
StepSecurity says that the malware “is a supply-chain worm” that can find tokens for publishing on npm and inject “itself into every package that token can publish, propagating the compromise further.”
According to StepSecurity, the malicious versions for pgserve were first published on April 21, at 22:14 UTC, with another two malicious releases following on the same day.
If publish tokens are found on the compromised system in environment variables or the ~/.npmrc configuration file, the malicious script identifies the packages that the victim can publish, adds the payload, and republishes them to npm with an increased version number.
These newly infected packages execute the same process when installed, enabling recursive spread.
The researchers noted that, if PyPI credentials are found, it applies a similar method to Python packages using a .pth-based payload, making this a multi-ecosystem attack.
Developers should treat all listed package versions as malicious and remove them from systems and CI/CD pipelines immediately, then rotate all potentially exposed secrets.
Both Socket and StepSecurity provide indicators of compromise to help defenders identify compromised development environments or defend them against this attack.
Recommended actions in environments where affected packages are found include removing them from development and CI/CD systems, rotating all credentials and secret data, and looking for internal package mirrors, artifacts, and caches.
Socket also advises defenders to audit for related packages with the same public.pem file, the same webhook host, or the same postinstall pattern.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
