Malicious npm packages, including multiple versions of @automagik/genie and pgserve, execute post-install scripts to steal developer credentials, secrets, and cryptocurrency data, then self-propagate by republishing compromised packages to npm and PyPI using stolen tokens. The malware uses HTTPS and blockchain-based ICP canisters for command and control and data exfiltration. While the exact source is under investigation, evidence suggests legitimate projects may have been hijacked, and users should audit their systems for these packages and review npm and PyPI access tokens for unauthorized use.
Malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across developer ecosystems. According to new research from Socket, the activity mirrors earlier worm-style supply chain attacks that used blockchain-hosted infrastructure, including Internet Computer Protocol (ICP) canisters, for command and control (C2). Impacted packages include multiple versions of @automagik/genie and pgserve, both linked to developer tooling workflows. Researchers found the malware executes during installation, harvesting sensitive data and attempting to republish compromised packages using stolen credentials. Malware Focuses on Sensitive Data The payload scans infected systems for secrets stored in environment variables and configuration files. Targeted data includes cloud credentials, CI/CD tokens, SSH keys and local developer artifacts such as .npmrc and shell histories. It also attempts to access browser-stored data and cryptocurrency wallets, including Chrome profiles and extensions like MetaMask and Phantom. Exfiltration occurs through two channels: a standard HTTPS webhook and an ICP endpoint. Data can be encrypted using AES-256 and RSA methods, though plaintext fallback is possible. Self-Propagation and Possible Repository Compromise A key feature of the malware is its ability to spread. The malware extracts npm tokens, identifies accessible packages, injects malicious code, and republishes them, enabling further compromise across the ecosystem. It also includes functionality to propagate via Python's PyPI repository by generating malicious packages using .pth file injection when credentials are present. Read more on similar threats: Malicious Machine Learning Model Attack Discovered on PyPI Researchers observed similarities with prior TeamPCP-linked campaigns , including the use of post-install scripts and canister-based infrastructure. However, the exact source of the compromise remains under investigation. Evidence suggests legitimate projects may have been hijacked. Some affected packages have active usage, with one showing over 6,700 weekly downloads. Inconsistencies between npm releases and Git tags further raise suspicion. Socket said the situation is still evolving, with additional malicious versions continuing to emerge and the full scope of the attack not yet confirmed.