New npm supply-chain attack self-spreads to steal auth tokens
Self-propagating npm supply chain attack steals developer credentials and spreads to compromised packages.
Summary
A worm-like supply chain attack targeting npm packages steals authentication tokens, API keys, SSH credentials, and cryptocurrency wallet data from developer environments. The malware self-propagates by identifying npm publish tokens and injecting malicious code into all packages a victim can publish, with similar techniques extending to PyPI packages. At least 16 packages from Namastex Labs were compromised, with the attack first observed on April 21, 2026.
Full text
New npm supply-chain attack self-spreads to steal auth tokens By Bill Toulas April 22, 2026 08:57 AM 0 A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve profitability. Socket noted that the techniques used for credential theft, data exfiltration, and self-propagation were similar with TeamPCP’s CanisterWorm attacks, but available evidence could not lead to confident attribution. At publishing time, Socket lists a set of 16 Namastex packages already compromised in the new supply-chain attack: @automagik/genie (4.260421.33-4.260421.39) pgserve (1.1.11–1.1.13) @fairwords/websocket (1.0.38-1.0.39) @fairwords/loopback-connector-es (1.4.3-1.4.4) @openwebconcept/theme-owc@1.0.3 @openwebconcept/design-tokens@1.0.3 These packages are used in AI agent tooling and database operations, so the attack targets high-value endpoints rather than aiming for high-volume infections. However, due to its worm-like function, its spread can expand quickly if conditions are met. The researchers found that the injected malicious code collects sensitive data associated with various secrets, such as tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, registries, and LLM platforms, and Kubernetes/Docket configs. Additionally, it attempts to extract sensitive data stored in Chrome and Firefox, including cryptocurrency wallets such as MetaMask, Exodus, Atomic Wallet, and Phantom. StepSecurity says that the malware "is a supply-chain worm" that can find tokens for publishing on npm and inject "itself into every package that token can publish, propagating the compromise further." According to StepSecurity, the malicious versions for pgserve were first published on April 21, at 22:14 UTC, with another two malicious releases following on the same day. If publish tokens are found on the compromised system in environment variables or the ~/.npmrc configuration file, the malicious script identifies the packages that the victim can publish, adds the payload, and republishes them to npm with an increased version number. These newly infected packages execute the same process when installed, enabling recursive spread. The researchers noted that, if PyPI credentials are found, it applies a similar method to Python packages using a .pth-based payload, making this a multi-ecosystem attack. Developers should treat all listed package versions as malicious and remove them from systems and CI/CD pipelines immediately, then rotate all potentially exposed secrets. Both Socket and StepSecurity provide indicators of compromise to help defenders identify compromised development environments or defend them against this attack. Recommended actions in environments where affected packages are found include removing them from development and CI/CD systems, rotating all credentials and secret data, and looking for internal package mirrors, artifacts, and caches. Socket also advises defenders to audit for related packages with the same public.pem file, the same webhook host, or the same postinstall pattern. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSXHackers compromise Axios npm package to drop cross-platform malwareBackdoored Telnyx PyPI package pushes malware hidden in WAV audioNew PhantomRaven NPM attack wave steals dev data via 88 packagesCPUID hacked to deliver malware via CPU-Z, HWMonitor downloads
Indicators of Compromise
- malware — CanisterWorm
- malware — npm supply-chain worm