Overview
- Socket and StepSecurity, which disclosed the campaign Wednesday, report a self-propagating supply chain attack that spreads through compromised npm publish tokens.
- The malware runs at install time via a postinstall script, raids files and browsers for secrets, and then uses any found npm or PyPI credentials to republish booby-trapped packages.
- Stolen data flows to a webhook at telemetry.api-monitor[.]com and to an ICP canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io, a tactic that mirrors recent CanisterWorm tradecraft without a firm attribution.
- Impacted Namastex-linked packages include @automagik/genie 4.260421.33–4.260421.40, pgserve 1.1.11–1.1.14, @fairwords/websocket 1.0.38–1.0.39, @fairwords/loopback-connector-es 1.4.3–1.4.4, and @openwebconcept/design-tokens and theme-owc up to 1.0.3.
- Security teams published indicators of compromise and urge developers to remove affected versions, rotate tokens, and audit CI systems as new malicious releases continue to surface.