"In this newly discovered npm incident, the malware uses the same core adversarial methods: install-time execution, credential theft from developer environments, off-host exfiltration, canister-backed infrastructure, and self-propagation logic intended to compromise additional packages," Socket wrote.
Namastex Labs-linked npm packages under active compromise
Application security vendors Socket and StepSecurity report a self-propagating CanisterWorm-style malware strain has infected multiple npm packages tied to Namastex Labs, an agentic AI company. The campaign appears focused on specialized developer workflows rather than broad consumer npm usage. Security shops identified the following compromised packages and version ranges:
- @automagik/genie@4.260421.33 through 4.260421.39
- pgserve@1.1.11 through 1.1.13
- @fairwords/websocket@1.0.38 and 1.0.39
- @fairwords/loopback-connector-es@1.4.3 and 1.4.4
- @openwebconcept/design-tokens@1.0.3
- @openwebconcept/theme-owc@1.0.3
Socket and StepSecurity caution additional malicious versions were still being published and identified, and that the full scope of the supply chain attack remains under investigation.
Canister-backed exfiltration: the hardcoded canister ID
The malware exfiltrates stolen data to two endpoints: a conventional webhook and an Internet Computer Protocol (ICP) canister endpoint. Socket observed the payload using a hardcoded canister ID: cjn37-uyaaa-aaaac-qgnva-cai. Researchers likened the technique to earlier "CanisterWorm" infections that used ICP canisters both to deliver additional payloads and to move stolen data off-host.
Payload behavior and the TeamPCP/LiteLLM reference
Socket noted "strong overlap" in techniques, tradecraft, and code lineage between this Namastex-linked campaign and earlier CanisterWorm infections attributed to TeamPCP, but stopped short of an explicit attribution. The malware's payload even contains an explicit code reference to a "TeamPCP/LiteLLM method" for .pth file injection.
Functionally, the malware collects a broad set of secrets and credentials: tokens, credentials, API and SSH keys, and other secrets related to cloud services, CI/CD systems, registries, Kubernetes and Docker configurations, and LLM platforms. It also attempts to harvest browser extension data associated with MetaMask and Phantom, and local cryptocurrency wallet files including Solana, Ethereum, Bitcoin, Exodus, and Atomic Wallet data.
Self-propagation: turning one developer environment into many
Beyond credential theft, the strain contains explicit self-propagation logic. It attempts to extract npm tokens from infected developer machines, identify packages the victim is permitted to publish, inject a new payload into those packages, and republish them in a malicious form. Socket warned: "In other words, this is not just a credential stealer. It is designed to turn one compromised developer environment into additional package compromises."
StepSecurity reported the initial pgserve malicious releases were published on April 21 at 22:14 UTC, followed by two additional malicious releases of the same package later that day. Socket added that if the malware finds PyPI credentials on a victim system, it uses a similar self-propagation method to upload malicious Python packages.
What this means for developers, open-source maintainers, and enterprise teams
Developers: The campaign is engineered to exploit developer privileges — published npm tokens and publish-capable accounts are a direct vector for propagation. Developers with publishing rights should watch for unexpected package updates, unusual publish activity, and take care with local environments where tokens and credentials are stored.
Open-source maintainers: Maintainers of the listed packages and similarly scoped tooling must assume additional malicious versions could appear as security shops continue to identify new releases. The vendors' reporting indicates the attack aims to infect maintainers' workflows so that malicious code can spread via otherwise trusted packages.
Enterprise security and procurement teams: Because the malware targets CI/CD, registries, Kubernetes/Docker configurations and LLM platforms, the incident highlights the cross-cutting risk of developer environment compromises cascading into production and cloud assets. The use of both webhook and ICP canister exfiltration channels suggests defenders must account for nontraditional data egress paths.
The immediate facts are stark: multiple npm packages tied to Namastex Labs have been published with worm-capable malware; the payload references a "TeamPCP/LiteLLM method"; a hardcoded ICP canister (cjn37-uyaaa-aaaac-qgnva-cai) is being used as an exfiltration endpoint; and security vendors warn the attacker intends to turn a single compromised developer environment into a distribution mechanism for additional malicious packages. The full scope is still unfolding as new malicious versions are published and identified.
