Full Report
Plus, the payload references 'TeamPCP/LiteLLM method' Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month.…
Analysis Summary
# Incident Report: Namastex-Linked "CanisterWorm" npm Supply Chain Attack
## Executive Summary
A self-propagating malware campaign, referred to as "CanisterWorm," has compromised multiple npm packages targeting specialized developer environments, specifically those involving agentic AI and cloud infrastructure. The malware functions as both a credential stealer and a worm, exfiltrating sensitive keys and automatically injecting malicious payloads into other packages accessible from the victim's environment. The attack shows significant technical overlap with previous campaigns attributed to the threat actor group "TeamPCP."
## Incident Details
- **Discovery Date:** April 22, 2026 (Approximate)
- **Incident Date:** April 21, 2026 (Initial malicious publications detected)
- **Affected Organization:** Namastex Labs (and other package maintainers)
- **Sector:** Technology / Artificial Intelligence / Open Source Software
- **Geography:** Global (Impacts any developer utilizing the affected npm packages)
## Timeline of Events
### Initial Access
- **Date/Time:** April 21, 2026, at 22:14 UTC.
- **Vector:** Compromised npm maintainer accounts.
- **Details:** Malicious versions of the `pgserve` package (v1.1.11 - 1.1.13) were published to the npm registry.
### Lateral Movement
- **Mechanism:** Self-propagation logic within the malware.
- **Details:** After infecting a developer machine, the malware searches for local `npm` and `PyPI` credentials. It identifies packages the developer has permission to publish, injects malicious code into them, and republishes them to high-trust registries to infect further downstream users.
### Data Exfiltration/Impact
- **Data Stolen:** Cloud service tokens, CI/CD credentials, SSH keys, Kubernetes/Docker configs, LLM platform keys, and browser-resident crypto wallets (MetaMask, Phantom).
- **Exfiltration Method:** Stolen data was sent to a conventional webhook and an Internet Computer Protocol (ICP) canister.
### Detection & Response
- **Detection:** Identified by security vendors Socket and StepSecurity through automated monitoring of the npm registry.
- **Response Actions:** Public disclosure and ongoing investigation to identify all compromised versions across the npm ecosystem.
## Attack Methodology
- **Initial Access:** Account takeover of package maintainers (Supply Chain Compromise).
- **Persistence:** Not explicitly specified, though the compromise of developer environments provides a foothold for long-term credential harvesting.
- **Privilege Escalation:** Not required; the malware inherits the permissions of the developer who installs the package.
- **Defense Evasion:** Use of ICP canisters (decentralized infrastructure) for C2 and data exfiltration to bypass traditional IP/domain blacklists.
- **Credential Access:** Harvesting `.npmrc`, `.pypirc`, SSH keys, and browser extension data (wallets).
- **Discovery:** Scanning the local file system for configuration files and identifying which registries/packages the victim has write access to.
- **Lateral Movement:** "Worm" behavior—automatic republishing of malicious code to npm and PyPI.
- **Collection:** Automated gathering of API keys and secret files.
- **Exfiltration:** Data sent to `cjn37-uyaaa-aaaac-qgnva-cai[.]ic0[.]app` (defanged) and webhooks.
- **Impact:** Compromise of downstream software supply chains and loss of sensitive intellectual property/financial assets.
## Impact Assessment
- **Financial:** Risk of direct theft from cryptocurrency wallets (Solana, Ethereum, Bitcoin, etc.).
- **Data Breach:** High-volume theft of secrets and API keys for critical infrastructure (K8s, Docker, Cloud).
- **Operational:** Disruption to AI development workflows and the necessity for massive credential rotations across multiple platforms.
- **Reputational:** Damage to Namastex Labs and other maintainers whose packages were used as vectors.
## Indicators of Compromise
- **Affected Packages:**
- `pgserve` (1.1.11 - 1.1.13)
- `@automagik/genie` (4.260421.33 - 4.260421.39)
- `@fairwords/websocket` (1.0.38 - 1.0.39)
- `@fairwords/loopback-connector-es` (1.4.3 - 1.4.4)
- `@openwebconcept/design-tokens` (1.0.3)
- `@openwebconcept/theme-owc` (1.0.3)
- **Infrastructure:**
- ICP Canister ID: `cjn37-uyaaa-aaaac-qgnva-cai`
- **Behavioral:** Unexpected `npm publish` or `twine upload` (PyPI) actions occurring from developer machines.
## Response Actions
- **Containment:** Flagging and removal of malicious package versions from the npm registry.
- **Eradication:** Advising developers to rotate all credentials found on machines that installed the affected versions.
- **Recovery:** Restoring legitimate package versions and reinforcing account security for maintainers.
## Lessons Learned
- **Supply Chain Fragility:** Single compromised developer accounts can lead to a "viral" spread of malware across multiple unrelated projects.
- **Decentralized C2:** Threat actors are increasingly using blockchain/ICP infrastructure to host payloads and exfiltrate data, making traditional network filtering less effective.
- **Cross-Registry Risk:** Malware that infects npm but propagates to PyPI demonstrates the need for cross-platform security monitoring.
## Recommendations
- **Enforce MFA:** All package maintainers must use hardware-based Multi-Factor Authentication for registry accounts.
- **Secret Scanning:** Implement automated secret scanning to detect if leaked keys are being used in the wild.
- **Environment Isolation:** Use ephemeral environments or containers for development to prevent malware from accessing local `.ssh` or wallet files.
- **Dependency Pinning:** Use lockfiles and avoid "floating" versions that might automatically pull in bridge/malicious updates.