Namastex npm packages compromised in ‘CanisterWorm’ supply chain attack

Two packages belonging to Namastex Labs were reportedly compromised in an ongoing npm supply chain attack dubbed “CanisterWorm,” believed to be tied to the TeamPCP threat actor, Socket reported Wednesday.

The packages @automagik/genie versions 4.260421.33 through 4.260421.39 and pgserve versions 1.1.11, 1.1.12 and 1.1.13 were found to be injected with scripts consistent with the CanisterWorm campaign first identified by Socket researchers last month.

Namastex’s Automagik Genie is a command line interface (CLI) for using AI coding agents to create pull requests and pgserve is an embedded PostgreSQL server; the packages had about 8,000 weekly downloads combined as of April 21, 2026, according to Socket’s dashboards.

The malicious postinstall script observed in this compromise works to harvest secrets from the victim’s environment by searching environment variables for names associated with tokens, credentials, cloud providers, CI/CD systems, registries, LLM platforms and other secrets, the Socket Research Team said.

It also targets sensitive local system files including .npmrc, .git-credentials, .netrc, .env files, database password files, and files storing SSH keys and cloud credentials, as well as artifacts from browsers and cryptocurrency wallets such as Chrome login storage and data from crypto-wallet extensions.

The collected data is exfiltrated to an HTTPS webhook as well as an Internet Computer Protocol (ICP) canister that serves as a “dead-drop” command and control (C2) channel, Socket said. The worm then attempts to self-propagate by identifying and installing npm packages the victim can publish, injecting them with the malicious script and republishing them using the victim’s stolen npm credentials.

Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available, preparing and uploading malicious .pth-based payloads via Twine.

"This newest supply chain threat in the npm ecosystem demonstrates that a lot of the time, the issue isn't an organization's code, but their credentials. Long-lived, over-permissioned CI/CD tokens are as risky as passwords written on a sticky note," Dan Moore, senior director of CIAM strategy at FusionAuth, said in an email to SC Media. "Organizations need to have more than credentials for software systems. In order to maintain identity hygiene, organizations should rotate, scope, and continually monitor credentials."

While the ICP canister used in the Namastex attack is not the same canister seen in previous CanisterWorm attacks, Socket assessed it is likely part of the same campaign based on the pattern of broad credential theft, use of both a webhook and ICP canister for off-host exfiltration and cross-ecosystem targeting of both npm and PyPI.

The CanisterWorm campaign, first reported on March 20, 2026, affected 141 packages between March 20 and 23, according to Socket’s research. The attack wave affecting Namastex, which Socket now tracks as “CanisterSprawl,” has affected a total of 22 packages since April 8, the company reports.

Wiz Research has stated that TeamPCP, the threat actor behind a recent supply chain attack affecting Aqua Security’s Trivy vulnerability scanner and the popular AI middleware LiteLLM, was also behind the CanisterWorm campaign. Socket describes the campaign as a “TeamPCP-style” attack.

The attack also comes after another self-propagating supply chain worm, Shai-Hulud, emerged targeting the npm and GitHub open-source ecosystems last year, with attacks continuing throughout 2026.