Full Report
A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. [...]
Analysis Summary
# Incident Report: Namastex Labs Supply Chain Worm
## Executive Summary
A sophisticated supply-chain attack targeted the npm ecosystem using a "worm-like" propagation mechanism to steal developer credentials and API keys. The malware targets high-value AI and database packages, exfiltrating sensitive tokens and automatically injecting malicious code into other packages accessible by the victim's credentials to facilitate recursive spreading. The attack has expanded across ecosystems, notably targeting both npm and PyPI.
## Incident Details
- **Discovery Date:** April 21-22, 2026
- **Incident Date:** April 21, 2024 (Initial malicious publish noted at 22:14 UTC)
- **Affected Organization:** Namastex Labs, Automagik, Fairwords, OpenWebConcept
- **Sector:** Software Development / AI Agentic Solutions
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 21, 2026, 22:14 UTC
- **Vector:** Compromised developer credentials/tokens for Namastex Labs npm accounts.
- **Details:** Attackers gained unauthorized access to publish rights, releasing malicious versions of the `pgserve` package (v1.1.11–1.1.13) and several `@automagik` scoped packages.
### Lateral Movement
- **Mechanism:** The malware scans environment variables and `~/.npmrc` for npm publishing tokens.
- **Propagation:** If a token is found, the script identifies all packages the user has permission to publish, injects the malicious payload, increments the version number, and republishes them automatically.
- **Cross-Ecosystem:** The worm also attempts to identify PyPI credentials to infect Python packages using `.pth`-based payloads.
### Data Exfiltration/Impact
- **Data Targeted:** SSH keys, AWS/Cloud credentials, CI/CD secrets, LLM platform API keys, Kubernetes/Docker configs, and browser-stored data (Chrome/Firefox).
- **Financial impact:** Targeted theft of cryptocurrency wallets including MetaMask, Exodus, Atomic Wallet, and Phantom.
### Detection & Response
- **Detection:** Identified by researchers at Socket and StepSecurity through behavioral analysis of new package releases.
- **Response:** Security researchers published Lists of Compromised (LoC) packages; developers were advised to rotate all secrets and wipe affected environments.
## Attack Methodology
- **Initial Access:** Compromised npm publishing tokens.
- **Persistence:** Injected into legitimate package updates; resides in CI/CD pipelines and developer workstations.
- **Privilege Escalation:** Not applicable (uses existing rights of the compromised token).
- **Defense Evasion:** Incremental versioning of legitimate packages; targeting specific high-value AI tooling rather than mass-market packages.
- **Credential Access:** Harvesting from `~/.npmrc`, environment variables, and browser local storage.
- **Discovery:** Enumerating packages associated with discovered npm tokens.
- **Lateral Movement:** Self-propagating "worm" functionality via automated republishing.
- **Collection:** Automated scanning for `.ssh`, `.aws`, and browser profile folders.
- **Exfiltration:** Data sent to attacker-controlled webhooks.
- **Impact:** Complete compromise of developer identity and supply chain integrity.
## Impact Assessment
- **Financial:** High potential risk due to targeted theft of cryptocurrency wallets.
- **Data Breach:** Massive; includes full CI/CD access, cloud infrastructure keys, and proprietary LLM API access.
- **Operational:** Disruption to CI/CD pipelines and requirement for full secret rotation across multiple organizations.
- **Reputational:** High; compromise of "agentic AI" solutions which require high levels of trust.
## Indicators of Compromise
- **Host Indicators:**
- Presence of `public.pem` file within npm package directories.
- Modified `postinstall` scripts in `package.json`.
- Unusual `.pth` files in Python environment directories.
- **Network Indicators:**
- Outbound traffic to suspicious webhook hosts (e.g., `hxxps[://]webhook[.]site/[redacted]`).
- **Affected Packages (Partial List):**
- `pgserve` (1.1.11–1.1.13)
- `@automagik/genie` (4.260421.33-4.260421.39)
- `@fairwords/websocket` (1.0.38-1.0.39)
## Response Actions
- **Containment:** Removal of affected package versions from the npm registry (ongoing).
- **Eradication:** Developers urged to delete local node_modules, clear npm caches, and audit internal package mirrors.
- **Recovery:** Mandatory rotation of all SSH keys, API tokens, and cloud credentials found on any machine where the packages were installed.
## Lessons Learned
- **Token Over-Permissioning:** Publishing tokens often have broader scopes than necessary, allowing the worm to infect multiple unrelated packages.
- **Lack of Multi-Factor:** The reliance on static tokens in `~/.npmrc` or CI/CD env vars remains a critical single point of failure in the supply chain.
- **Cross-Platform Risk:** Attackers are increasingly leveraging "polyglot" malware that targets both JavaScript and Python ecosystems simultaneously.
## Recommendations
- **Use Granular Tokens:** Implement npm "Granular Access Tokens" limited to specific packages.
- **CI/CD Security:** Use OpenID Connect (OIDC) for publishing from CI/CD providers (like GitHub Actions) to npm/PyPI instead of long-lived secrets.
- **Secret Scanning:** Implement real-time monitoring of developer workstations for unencrypted sensitive files.
- **Environment Isolation:** Use ephemeral, sandboxed environments for testing new or third-party packages before integration.