npm Supply-Chain Worm Steals Auth Tokens Fast

npm Supply-Chain Worm Is Actively Spreading Through Developer Environments

A new npm supply-chain attack is doing something nastier than the usual malicious package drop. It self-propagates. Researchers at Socket and StepSecurity confirmed this week that at least 16 packages from Namastex Labs were compromised with malicious code that steals publish tokens, then uses those tokens to inject itself into every other package the victim account can publish. The npm supply chain attack effectively turns each infected developer into an unwitting spreader.

The malicious versions were first spotted on April 21, 2026. The pgserve package was the earliest confirmed infection, with multiple additional malicious releases pushed the same day. The timing suggests an automated pipeline doing the publishing, not manual effort.

How the Self-Spreading Mechanism Works

The core technique is straightforward but effective. Once the malicious postinstall script runs on a developer's machine, it searches for npm publish tokens in two locations: environment variables and the ~/.npmrc configuration file. If it finds one, it queries npm to identify every package that token has publish rights on, injects the same payload into those packages, increments the version number, and publishes them back to the registry.

Each newly infected package runs the same logic when installed. That recursive behavior is what makes researchers call it a worm. The spread isn't bounded by the initial compromise. It extends as far as the social graph of publish permissions reaches.

It doesn't stop at npm either. If PyPI credentials are discovered, the same method is applied to Python packages using a .pth-based payload. One compromised JavaScript developer can trigger infections across two separate ecosystems.

What Data Gets Stolen

The credential theft scope is broad. The injected code targets SSH keys, API keys, cloud service credentials, CI/CD tokens, container registry credentials, Kubernetes and Docker configs, and tokens for LLM platforms. Browser-stored data from Chrome and Firefox is also harvested, including cryptocurrency wallet extensions like MetaMask, Exodus, Atomic Wallet, and Phantom.

These aren't random packages with large install counts. The compromised packages include AI agent tooling and database utilities, which means the targets are developers working on infrastructure-adjacent projects. Those environments typically hold the most sensitive credentials.

The techniques overlap with previous CanisterWorm attacks attributed to TeamPCP, though researchers have stopped short of formal attribution pending more evidence.

How to Respond If You're Affected

If any of the 16 listed packages exist in your project dependencies, CI/CD pipelines, or build caches, treat the environment as compromised and act immediately.

Steps to take:

1. Remove all affected package versions from local environments, pipelines, and any internal artifact mirrors.
2. Rotate every credential that could have been present: npm tokens, cloud keys, SSH keys, CI/CD secrets, LLM API keys.
3. Check ~/.npmrc and environment variables for any tokens that may have been exfiltrated.
4. Audit your own published packages for unexpected version bumps or unfamiliar postinstall scripts.
5. Search for packages sharing the same public.pem file, webhook host, or postinstall pattern noted in Socket's indicators of compromise.
6. Review internal package mirrors and caches for infected versions that may have been pulled before the packages were flagged.

Running automated scanning on your web-facing dependencies is a good starting point. You can scan your environment for exposed vulnerabilities at /scan to check for additional supply-chain risks that may be lurking in your stack.

For a broader look at package-level threats, the VibeWShield blog covers open-source security topics including past npm attack waves.

FAQ

Which npm packages are confirmed as malicious in this attack? The confirmed list includes versions of @automagik/genie, pgserve, @fairwords/websocket, @fairwords/loopback-connector-es, @openwebconcept/theme-owc, and @openwebconcept/design-tokens, among others. Check Socket's live indicators of compromise list for the full current set, as the worm may have spread to additional packages.

If I installed an affected package weeks ago but didn't notice, am I still at risk? Yes. The malicious postinstall script runs at install time. If it executed in your environment, your credentials were potentially exfiltrated at that point regardless of when you discover it. Rotate everything and audit your publish history.

Does this attack only affect JavaScript developers? No. If the malware finds PyPI credentials on a compromised system, it applies the same self-spreading logic to Python packages. Any developer with both npm and PyPI credentials in their environment is a potential vector for cross-ecosystem propagation.

Your dependencies could be carrying this worm right now. Run a free scan at VibeWShield to check your project for supply-chain vulnerabilities before they reach production.