Supply Chain Alert: Sophisticated Malware Campaign Exploits Namastex Labs to Bridge npm and PyPI Ecosystems

A sophisticated supply chain attack has been uncovered targeting the developer ecosystem, specifically leveraging compromised packages linked to Namastex Labs. This campaign is not a simple case of typosquatting; instead, it involves the highly targeted hijacking of legitimate, widely-trusted packages to facilitate credential theft and worm-like propagation across both the npm and PyPI registries.

The breach centers around the Namastex.ai brand, a provider of AI consulting and autonomous agent systems via their Automagik product line. By compromising established developer tools, attackers have successfully bypassed traditional scrutiny, injecting malicious payloads directly into the build pipelines of unsuspecting engineering teams.

The Anatomy of the Compromise

The technical execution of this attack shifts the focus from passive malware to active, install-time execution. Rather than waiting for a user to run a command, the malware triggers immediately upon the execution of the npm install command. This “post-install” hook allows the payload to gain a foothold before any security scanning or manual review can occur.

Security researchers have identified several compromised versions within the following namespaces:

  • @automagik/genie: Versions 4.260421.33 through 4.260421.39
  • pgserve: Versions 1.1.11, 1.1.12, and 1.1.13

A forensic analysis revealed that these disparate packages share embedded RSA key material, a clear indicator of a unified build infrastructure used by the threat actor. Further threat hunting has linked this lineage to other previously affected packages, including @fairwords/websocket, @fairwords/loopback-connector-es, and various @openwebconcept design-system packages.

High-Value Targeting and Blast Radius

This campaign is particularly dangerous because it targets “infrastructure-adjacent” tools. These aren’t just generic libraries; they are specialized utilities that sit deep within the development lifecycle:

  • @automagik/genie: An AI agent-orchestration CLI with approximately 6,700 weekly downloads.
  • pgserve: A development-focused embedded PostgreSQL server with 1,300 weekly downloads.
  • UI/Backend Connectors: Packages managing WebSocket integrations and LoopBack-to-Elasticsearch connections, allowing the malware to potentially touch everything from front-end design tokens to backend data flow.

The presence of legitimate GitHub repositories and professional branding suggests that the attackers didn’t just create fake packages—they likely compromised the actual maintainer accounts or the CI/CD pipelines of existing, reputable projects.

Multi-Stage Payload Functionality

Once activated, the install-time payload executes a four-pronged offensive designed for maximum data extraction:

1. Aggressive Secret Harvesting

The script performs an exhaustive sweep of the host machine for sensitive metadata. It targets:

  • Environment Variables: Scanning for API keys and session tokens.
  • Configuration Files: Scouring .npmrc, .env, and shell histories.
  • Cloud & Infra Credentials: Targeting .kube/config, Terraform state files, Vault data, and Docker/Kubernetes configurations.
  • SSH & Git: Attempting to grab private keys and Git credentials to facilitate further lateral movement.

2. Financial and Browser Data Theft

The malware extends its reach into the user’s personal data, specifically targeting browser-based credentials (Chrome login storage) and cryptocurrency wallets. It actively seeks out extension data for MetaMask and Phantom, alongside local wallet files for Solana, Ethereum, Bitcoin, and Exodus.

3. Dual-Channel Exfiltration

To maintain stealth, the malware uses a hybrid exfiltration strategy. Collected data is sent via HTTPS to a telemetry API and simultaneously to an Internet Computer (ICP) canister endpoint. The communication utilizes a sophisticated encryption scheme: AES-256-CBC combined with RSA-OAEP-SHA256 when a public key is detected, falling back to plaintext only when necessary to ensure delivery.

4. Worm-like Propagation (The “CanisterWorm” Connection)

The most alarming feature is the malware’s ability to spread autonomously. By extracting npm tokens, the script enumerates all packages the victim has permission to publish. It then downloads those legitimate packages, injects its own malicious postinstall hook, and republishes them as new versions. This creates a self-sustaining loop of infection.

Furthermore, the threat bridges the ecosystem gap. If PyPI credentials are discovered, the script prepares a Python .pth-based payload. This ensures that once a developer’s machine is compromised via npm, the infection spreads into the Python ecosystem by using Twine to upload backdoored Python packages.

Conclusion and Attribution

The tradecraft observed—specifically the use of ICP canisters for C2 (Command and Control) and the cross-ecosystem propagation—closely mirrors the TeamPCP threat actor and their known CanisterWorm campaign. While the specific canister IDs have changed, the underlying methodology remains identical.

Immediate Action Recommended: Developers should audit their dependency trees, rotate all leaked secrets (especially npm tokens and cloud provider keys), and monitor for unusual activity in their respective package registries.

Related Articles

Back to top button