Back to threat alerts

npm Supply-Chain Worm Attack

A sophisticated, self-propagating supply-chain worm has been identified within the Node Package Manager (npm) ecosystem. Initially spotted on 21 April 2026, the attack targets high-value endpoints, including AI agent tooling and database operations. Threat actors compromised multiple packages linked to Namastex Labs, most notably the embedded PostgreSQL server utility, pgserve. The malware behaves as a highly aggressive infostealer, harvesting developer credentials, browser data, cloud service keys, and cryptocurrency wallets. Crucially, the attack leverages a worm-like mechanism to recursively spread across both the npm and PyPI ecosystems using stolen publish tokens. To ensure persistence and evade law enforcement takedowns, the attackers exfiltrate stolen data to a decentralised Internet Computer Protocol blockchain canister.

Threat alert
April 23, 2026

The attack is executed via a malicious postinstall script (CommonJS JavaScript file named scripts/check-env.js) that runs automatically when a victim executes a npm install command. The attackers intentionally silence the hook by appending || true to the execution command, ensuring the installation appears successful even if the malware fails, thereby masking its activity.

Upon execution, the malware initiates several operations:

  • Credential Harvesting: The script scans environment variables against over 40 regular expression patterns to steal tokens, passwords, and cloud credentials.
  • Filesystem Secret Collection: It systematically reads sensitive files from the developer's home directory, including SSH keys, .npmrc, cloud credentials, browser password databases, and various cryptocurrency wallet files.
  • Payload Encryption: Before transmission, the stolen data is secured using a hybrid encryption scheme. The payload is encrypted with a random AES-256-CBC session key, which is subsequently encrypted using an attacker-controlled RSA-4096 public key bundled in the package.
  • Dual-Channel Exfiltration: The encrypted payload is transmitted to a primary, decentralised ICP canister, which is immune to traditional domain seizures. A secondary webhook is utilised if specific environment variables are met.
  • Worm Propagation: The malware searches for npm publish tokens on the compromised machine. If found, it enumerates the packages the victim has access to, injects its malicious payload, increments the patch version, and automatically republishes the infected packages. If PyPI credentials are stolen, the malware executes a cross-ecosystem spread by injecting a .pth file payload into Python environments.
Vulnerable Versions:

Researchers have identified the following packages and versions as actively compromised in this campaign. Developers should treat these releases as highly malicious:

  • pgserve (Versions: 1.1.11, 1.1.12, 1.1.13)
  • @automagik/genie (Versions: 4.260421.33 through 4.260421.39)
  • @fairwords/websocket (Versions: 1.0.38, 1.0.39)
  • @fairwords/loopback-connector-es (Versions: 1.4.3, 1.4.4)
  • @openwebconcept/theme-owc (Version: 1.0.3)
  • @openwebconcept/design-tokens (Version: 1.0.3)
Mitigations:

If any of the vulnerable package versions are detected within your environment, immediate incident response procedures should be initiated:

  • Eradication: Immediately remove the affected packages from all development machines, build servers, and CI/CD pipelines. Purge internal package mirrors, caches, and artifacts.
  • Secret Rotation: Treat the environment as fully compromised. Immediately revoke and rotate all potentially exposed secrets. This includes npm publish tokens, PyPI credentials, SSH keys, cloud provider access keys, database credentials, and any secrets stored in environment variables.
  • Network Blocking: Add the known Indicators of Compromise to your network firewalls and global blocklists. Ensure that traffic to cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io and telemetry.api-monitor.com is actively blocked.
  • Wallet Security: If the malware was executed on a personal or workstation machine containing cryptocurrency wallets, those assets should be moved to a newly generated, secure wallet immediately.
Recommendations:

To safeguard against future supply-chain attacks of this nature, organisations should implement the following proactive defence measures:

  • Implement Egress Filtering: Restrict outbound network access for CI/CD runners and build environments. Tools that provide runtime validation and eBPF-based network monitoring can block unauthorised exfiltration attempts even during the dependency installation phase.
  • Audit Install Scripts: Utilise automated package analysis tools to inspect dependencies for suspicious pre- and post-install scripts, obfuscated payloads, and anomalous version bumps.
  • Enforce Least Privilege for Tokens: Ensure that npm, PyPI, and cloud access tokens are strictly scoped. Use granular, short-lived tokens rather than long-term credentials, and never store critical secrets in plain text within easily accessible configuration files like ~/.npmrc.
  • Hunt for Shared Artifacts: Proactively audit internal codebases and dependencies for associated IoC patterns, such as the presence of a scripts/public.pem file, unexpected scripts/check-env.cjs files, or the specific post-install command modifications.