Overview
- Socket and StepSecurity disclosed a self-propagating attack in multiple npm packages linked to Namastex Labs.
- The malware runs during install using a postinstall script that sweeps developer machines for secrets, then uses found npm tokens to push new poisoned versions.
- Known hits include @automagik/genie 4.260421.33–.40, pgserve 1.1.11–1.1.14, and several @fairwords and @openwebconcept releases published from compromised accounts.
- Stolen data flows to an HTTPS webhook at telemetry.api-monitor[.]com and to an Internet Computer canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io, and the code can also spread to PyPI using a .pth payload and Twine if Python credentials are present.
- Researchers urge developers to remove the listed versions and rotate all keys, noting overlap with March CanisterWorm tradecraft and a disputed 'teampcp' marker as the broader wave of registry and CI/CD abuse continues.