Supply chain , DevOps , Threat Intelligence , Malware , Identity , AI/ML Namastex npm packages compromised in ‘CanisterWorm’ supply chain attack April 23, 2026 Share By Laura French Two packages belonging to Namastex Labs were reportedly compromised in an ongoing npm supply chain attack dubbed “CanisterWorm,” believed to be tied to the TeamPCP threat actor, Socket reported Wednesday . The packages @automagik/genie versions 4.260421.33 through 4.260421.39 and pgserve versions 1.1.11, 1.1.12 and 1.1.13 were found to be injected with scripts consistent with the CanisterWorm campaign first identified by Socket researchers last month . Namastex’s Automagik Genie is a command line interface (CLI) for using AI coding agents to create pull requests and pgserve is an embedded PostgreSQL server; the packages had about 8,000 weekly downloads combined as of April 21, 2026, according to Socket’s dashboards. The malicious postinstall script observed in this compromise works to harvest secrets from the victim’s environment by searching environment variables for names associated with tokens, credentials, cloud providers, CI/CD systems, registries, LLM platforms and other secrets, the Socket Research Team said. It also targets sensitive local system files including .npmrc, .git-credentials, .netrc, .env files, database password files, and files storing SSH keys and cloud credentials, as well as artifacts from browsers and cryptocurrency wallets such as Chrome login storage and data from crypto-wallet extensions. The collected data is exfiltrated to an HTTPS webhook as well as an Internet Computer Protocol (ICP) canister that serves as a “dead-drop” command and control (C2) channel, Socket said. The worm then attempts to self-propagate by identifying and installing npm packages the victim can publish, injecting them with the malicious script and republishing them using the victim’s stolen npm credentials. Additionally, the script attempts to spread the attack to the Python Package Index (PyPI) when the necessary credentials are available, preparing and uploading malicious .pth-based payloads via Twine. "This newest supply chain threat in the npm ecosystem demonstrates that a lot of the time, the issue isn't an organization's code, but their credentials. Long-lived, over-permissioned CI/CD tokens are as risky as passwords written on a sticky note," Dan Moore, senior director of CIAM strategy at FusionAuth, said in an email to SC Media. "Organizations need to have more than credentials for software systems. In order to maintain identity hygiene, organizations should rotate, scope, and continually monitor credentials." While the ICP canister used in the Namastex attack is not the same canister seen in previous CanisterWorm attacks, Socket assessed it is likely part of the same campaign based on the pattern of broad credential theft, use of both a webhook and ICP canister for off-host exfiltration and cross-ecosystem targeting of both npm and PyPI. The CanisterWorm campaign , first reported on March 20, 2026, affected 141 packages between March 20 and 23, according to Socket’s research. The attack wave affecting Namastex, which Socket now tracks as “CanisterSprawl,” has affected a total of 22 packages since April 8, the company reports. Wiz Research has stated that TeamPCP, the threat actor behind a recent supply chain attack affecting Aqua Security’s Trivy vulnerability scanner and the popular AI middleware LiteLLM, was also behind the CanisterWorm campaign. Socket describes the campaign as a “TeamPCP-style” attack. The attack also comes after another self-propagating supply chain worm, Shai-Hulud , emerged targeting the npm and GitHub open-source ecosystems last year, with attacks continuing throughout 2026. Laura French Related Security Operations Mondoo launches free AI skills check to mitigate supply chain risks SC Staff April 22, 2026 The new service allows users to search for AI agent skills by name, registry, or package URL, providing visibility into their functionality and security risks before installation. AI/ML The LiteLLM attack was a warning shot for Agentic AI supply chains Harold Byun April 22, 2026 Here’s why teams have to move to a more active security model. Vulnerability Management Flaw in Microsoft-owned GitHub repository allowed RCE via issue submission Laura French April 22, 2026 Attackers could have extracted a GITHUB_TOKEN secret, potentially enabling unauthorized changes. Related Events Cybercast From code to cloud: Stopping attacks in the software supply chain Wed Apr 29 Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware Biometrics Brute Force Business Email Compromise (BEC) Certificate-Based Authentication DNS Spoofing Disruption Drive-by Download Password Cracking Reconnaissance You can skip this ad in 5 seconds