Skip to main content
Emerging ThreatsSupply Chain Attacks

npm Ecosystem Targets New Supply-Chain Attack to Steal Auth Tokens

Dimly lit coding environment with multiple screens and laptops, notes, and diagrams, showing signs of disarray.

StepSecurity says that the malware "is a supply-chain worm" that can find publish tokens and inject itself into every package those tokens can publish, propagating the compromise further.

How researchers discovered the Namastex compromise

Application security teams at Socket and StepSecurity identified malicious code in multiple npm packages published from Namastex Labs accounts. Socket reported a set of 16 Namastex packages as already compromised and published a sample list of affected modules and versions; the published entries include:

  • @automagik/genie (4.260421.33-4.260421.39)
  • pgserve (1.1.11–1.1.13)
  • @fairwords/websocket (1.0.38-1.0.39)
  • @fairwords/loopback-connector-es (1.4.3-1.4.4)
  • @openwebconcept/theme-owc@1.0.3
  • @openwebconcept/design-tokens@1.0.3

Socket described Namastex Labs as a company that "provides AI-based agentic solutions designed to improve profitability." The compromised packages are used in AI agent tooling and database operations, which Socket and StepSecurity say makes the campaign focused on high-value endpoints rather than sheer volume of infections.

What the malware takes and where it looks

Both research teams report the injected code collects a broad range of sensitive data. The malware searches for and exfiltrates tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, registries, LLM platforms, and "Kubernetes/Docket configs," according to the published findings. The malicious script also attempts to extract sensitive data stored in Chrome and Firefox, explicitly including cryptocurrency wallets such as MetaMask, Exodus, Atomic Wallet, and Phantom.

Worm-like propagation: npm tokens, ~/.npmrc, and .pth for PyPI

The attack contains an automated propagation mechanism tied to publish credentials. If publish tokens are found on a compromised system — either in environment variables or in the ~/.npmrc configuration file — the malicious script identifies which packages the token can publish, injects its payload into those packages, and republishes them to npm with an increased version number.

StepSecurity framed the campaign bluntly: the malware "is a supply-chain worm" that can "inject 'itself into every package that token can publish, propagating the compromise further.'" The team additionally observed that the adversary applies a similar method against Python packages when PyPI credentials are present, using a .pth-based payload; that behavior makes this a multi-ecosystem attack rather than a threat confined to npm alone.

Timing, similarities to prior campaigns, and attribution limits

StepSecurity reports that the malicious versions of pgserve were first published on April 21 at 22:14 UTC, with two additional malicious releases following on the same day. Socket noted that the techniques used for credential theft, data exfiltration, and self-propagation were similar to TeamPCP’s CanisterWorm attacks, but said available evidence "could not lead to confident attribution." In short: toolset and behavior parallels exist, but a firm attribution decision was not claimed.

Immediate steps researchers recommend to defenders

Socket and StepSecurity published indicators of compromise and actionable mitigation steps. Researchers advise treating all listed package versions as malicious and immediately removing them from developer environments and CI/CD pipelines. They recommend rotating all potentially exposed credentials and secret data, and searching internal package mirrors, artifacts, and caches for additional infections.

Socket additionally suggests auditing for related packages that share the same public.pem file, the same webhook host, or the same postinstall pattern — artifacts that can reveal linked or cloned infections. Both vendors have released IOCs to help identify compromised development environments and to limit further spread.

The campaign combines targeted exfiltration of high-value developer secrets with a worm-like publish-and-republish mechanism tied to real publishing tokens and configuration files. For teams that host or consume npm and PyPI packages linked to Namastex or the listed modules, the immediate tasks are clear: remove suspect versions, rotate exposed secrets, and apply the published indicators of compromise to hunt for lateral propagation and internal caches that may enable recursive reinfection.

https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-self-spreads-to-steal-auth-tokens/