X j qJWgZ Omabee PbrL yaQh

Supply Chain Alert: Namastex npm Packages Compromised by CanisterWorm-Style Malware

Security researchers have identified a sophisticated supply chain attack targeting the Namastex ecosystem, specifically within the Automagik AI tooling suite. Several npm packages have been surreptitiously modified to deliver a high-impact payload that mirrors the mechanics of the CanisterWorm—a malware variant previously linked to the TeamPCP threat actor.

This is not a theoretical threat; the compromised packages are active dependencies in specialized developer workflows. For instance, @automagik/genie (an AI agent-orchestration CLI) maintains approximately 6,700 weekly downloads, while pgserve (an embedded PostgreSQL server) sees around 1,300 weekly downloads. This high level of adoption increases the blast radius for any environment utilizing these tools for CI/CD or local development.

Technical Breakdown of the Attack Vector

The infection vector is triggered during the standard npm install process via a malicious postinstall script. Once executed, the JavaScript payload initiates a multi-stage operation designed for maximum data extraction and lateral movement.

1. Aggressive Credential Harvesting

The malware scans the host system for high-value authentication material. Unlike legitimate installation scripts, this payload performs exhaustive sweeps of:

  • Environment Variables & Config Files: .npmrc, .git-credentials, .netrc, and local .env files.
  • Cloud & Infrastructure Secrets: AWS, Azure, GCP, and Kubernetes configurations, as well as Terraform and Pulumi state files.
  • System Access: SSH keys, Vault data, and shell history.

2. Browser and Crypto-Asset Exfiltration

Moving beyond developer credentials, the implant targets web browser artifacts and cryptocurrency ecosystems. It attempts to access Chrome login data and specifically targets extension stores for MetaMask and Phantom, as well as local wallet files for Solana, Ethereum, Bitcoin, Exodus, and Atomic Wallet.

3. Dual-Channel Exfiltration via ICP Canisters

A distinguishing feature of this campaign is its use of the Internet Computer Protocol (ICP). The malware utilizes an ICP canister as a “dead-drop” command-and-control (C2) channel, providing a decentralized and resilient method for exfiltrating stolen data.

The architecture employs a hybrid encryption scheme: if a bundled RSA public key is available, payloads are encrypted using AES-256-CBC and RSA-OAEP-SHA256. If not, it falls back to plaintext. Data is simultaneously exfiltrated to a conventional HTTPS webhook (telemetry.api-monitor[.]com) and a specific ICP canister ID: cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io/drop.

4. Automated Worm-like Propagation

The payload is designed to self-propagate to reach new victims. By extracting npm tokens from the compromised host, the malware enumerates all publishable packages owned by that user. It then injects its own malicious postinstall hook into these packages and republishes them. Furthermore, it contains logic to target the PyPI ecosystem by preparing malicious Python packages using a .pth-based loader if Python credentials are detected.

Affected Packages and Indicators of Compromise (IoCs)

Threat hunters have identified several affected versions. A critical red flag is the presence of identical embedded RSA material across different compromised packages, suggesting a shared builder infrastructure.

Package Name Affected Versions
@automagik/genie 4.260421.33 through 4.260421.39
pgserve 1.1.11, 1.1.12, 1.1.13
@fairwords/websocket 1.0.38–1.0.39
@fairwords/loopback-connector-es 1.4.3–1.4.4

Additionally, @openwebconcept design-system components show similar indicators, pointing toward a broad compromise of the publisher’s namespace or shared developer tooling.

Evidence of Infrastructure Compromise

Unlike “typosquatting” attacks (where attackers create fake packages with similar names), this incident involves the direct compromise of legitimate publisher accounts. Evidence of this includes:

  • Upstream Discrepancies: The pgserve versions 1.1.12 and 1.1.13 were published to npm without corresponding Git tags in the original GitHub repository, a classic sign of unauthorized publishing via stolen tokens.
  • Targeted Ecosystems: The malware targets well-established, documented projects rather than ephemeral, low-download modules.

Mitigation Recommendations

If your organization utilizes any of the packages listed above, we recommend the following immediate actions:

  1. Audit Dependencies: Check your package-lock.json or yarn.lock files for the specific versions mentioned above.
  2. Rotate All Credentials: Assume that any environment that ran an install of these packages is fully compromised. Rotate npm tokens, AWS/GCP/Azure keys, SSH keys, and GitHub personal access tokens immediately.
  3. Review CI/CD Logs: Look for unusual outbound network traffic to the mentioned ICP canister or the api-monitor[.]com domain.
  4. Implement Lockfiles: Ensure strict use of lockfiles and consider using tools like Socket to scan for malicious behavioral changes in dependencies during the build process.

For real-time updates on this threat, monitor security advisories from Socket and official npm security bulletins.

Related Articles

Back to top button