Developers fired off npm install commands this week, unaware they were unleashing a self-replicating beast. Malicious versions of packages tied to Namastex Labs swept through workflows, harvesting secrets and hijacking publish tokens to poison more code. Socket researchers dubbed it CanisterSprawl, spotting the worm’s reliance on an Internet Computer Protocol canister for exfiltration—cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io/drop—a tactic echoing TeamPCP’s prior campaigns but with a fresh canister ID. Socket.dev first flagged the intrusion on April 22, 2026, linking it to packages like @automagik/genie from versions 4.260421.33 to 4.260421.39.
And it didn’t stop there. pgserve, an embedded PostgreSQL tool for Node.js dev setups, saw its versions 1.1.11 through 1.1.13 go rogue on April 21 at 22:14 UTC, with two more drops that day. No Git tags matched those releases—the last clean one sat at v1.1.10 from April 17. StepSecurity’s AI Package Analyst nailed them as critical, spotting postinstall hooks that masked a 1,143-line credential thief. StepSecurity ran it in a sandboxed GitHub Actions runner; the script snagged 38 env vars and fired off 4.4KB of encrypted payload to the canister, returning a smug {“success”:true,”id”:10,”size”:4468}.
Short punch: This malware doesn’t just steal. It spreads. Picture this: postinstall fires on install. It scans env vars for patterns like /TOKEN/i, /AWS_/i, /NPM_/i—grabs 40-odd matches. Then it rifles through ~/.npmrc, SSH keys, AWS creds, K8s configs, even Chrome’s login DB and MetaMask extensions. Crypto wallets? Solana keypairs, Ethereum keystores, Exodus files—all slurped up. Data gets AES-256-CBC wrapped, session key RSA-4096 sealed with a bundled public.pem (SHA-256 fingerprint: 87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e), then POSTed to telemetry.api-monitor.com/v1/telemetry and that unkillable ICP canister.
But the real horror unfolds next. It hunts npm tokens in process.env.NPM_TOKEN or ~/.npmrc. Finds one? Enumerates your publishable packages, downloads tarballs, injects the same check-env.cjs and public.pem into scripts/, bumps the patch version, slaps in “postinstall”: “node scripts/check-env.cjs || true”—that || true hides failures—and npm publishes. Boom. Your packages now worm carriers. PyPI creds present? It crafts a .pth injector—’TeamPCP/LiteLLM method,’ the code brags—for Python startup execution, then Twines up malicious PyPI drops. One dev machine compromised; dozens follow. “In other words, this is not just a credential stealer,” Socket.dev warned. “It is designed to turn one compromised developer environment into additional package compromises.”
Namastex Labs packages bore the brunt. @fairwords/websocket at 1.0.38-1.0.39, @fairwords/loopback-connector-es at 1.4.3-1.4.4, @openwebconcept/design-tokens and theme-owc at 1.0.3. These hit AI agent tools, WebSocket integrations, Elasticsearch connectors, design systems—niche but trusted in dev pipelines. Weekly downloads? @automagik/genie clocked 6,744; pgserve around 1,300. Low volume, high impact: targets like these burrow into CI/CD, cloud setups, LLM platforms. The Register tied it to Namastex’s agentic AI pitch, noting overlaps with TeamPCP’s Trivy hit last month.
StepSecurity dissected pgserve’s diffs: two new files versus clean 1.1.10—scripts/check-env.js and public.pem. The hook? Obfuscation-free Node.js: https.request, fs.readFileSync, crypto.publicEncrypt. No eval, no atob. Behavioral reds only: postinstall reading creds and phoning home. Their Harden Runner caught live exfil; canister confirmed receipt. StepSecurity called it a supply-chain worm outright, propagating via token abuse.
The Hacker News connected dots to broader chaos. CanisterSprawl apes TeamPCP’s CanisterWorm, but xinference’s 2.6.0-2.6.2 payload screamed ‘# hacked by teampcp’—disputed by the actor. Asurion fakes (sbxapps et al.) ran April 1-8, multi-stage harvesters to Slack then XOR’d AWS gateways. Kube-health-tools faked K8s utils, dropped Go binaries for SOCKS5, LLM proxies. prt-scan abused GitHub Actions pull_request_target for npm poisons. npm’s under siege; Socket tracks 16+ Namastex poisons alone.
BleepingComputer echoed the call: treat these as toxic. Socket and StepSecurity advise yanking from CI/CD, rotating all—npm tokens, GitHub, AWS, SSH, the works. Audit publish histories for ghost releases. Hunt caches, mirrors, repos for IOCs: dist/env-compat.cjs hash c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839; public.pem 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812; strings like ‘pkg-telemetry,’ ‘pypi-pth-exfil.’ npm config set ignore-scripts true buys time; Yarn’s npmMinimalAgeGate at 7 days snags smash-grabs.
Industry insiders see patterns. TeamPCP’s shadow looms—Trivy, LiteLLM, now this. But why Namastex? AI tooling draws secrets: LLM keys, agent creds. Devs chase velocity; attackers chase the same. One slip—stale token, weak MFA—and your pipeline’s a vector. Firms like Socket push tarball-vs-Git diffs; StepSecurity’s AI verdicts flag behavioral tells. Yet installs roll on. Rotation alone won’t cut it. Lock scripts, audit deps, mirror registries. The worm’s out; containment demands vigilance.
WebProNews is an iEntry Publication