npm CanisterWorm — Self-Spreading Supply-Chain Attack Targets AI Agent Tooling

AI relevance: The compromised packages are used in AI agent tooling and database operations, and the malware specifically harvests credentials for LLM platforms — making this a targeted attack against the AI development supply chain that propagates like a worm across package ecosystems.

Researchers at Socket and StepSecurity have identified a self-spreading supply-chain attack targeting the npm ecosystem. Sixteen packages from Namastex Lab — a company providing AI-based agentic solutions — were found to contain malicious code that steals credentials and attempts to propagate to other packages.

How the worm works

• Malicious versions were first published on April 21 at 22:14 UTC, with additional releases the same day.
• On install, the injected code harvests sensitive data: API tokens, SSH keys, cloud service credentials, CI/CD system secrets, registry auth tokens, LLM platform keys, and Kubernetes/Docker configs.
• It also extracts data from Chrome and Firefox browsers, including cryptocurrency wallets (MetaMask, Exodus, Atomic Wallet, Phantom).
• If npm publish tokens are found in environment variables or ~/.npmrc, the malware identifies packages the victim can publish, injects itself into each one, and republishes with an incremented version number — recursive worm-like propagation.
• If PyPI credentials are found, the same method applies to Python packages using a .pth-based payload, making this a multi-ecosystem attack.

Affected packages

• @automagik/genie (4.260421.33–4.260421.39)
• pgserve (1.1.11–1.1.13)
• @fairwords/websocket (1.0.38–1.0.39)
• @fairwords/loopback-connector-es (1.4.3–1.4.4)
• @openwebconcept/theme-owc (1.0.3)
• @openwebconcept/design-tokens (1.0.3)

Why it matters

• The attack targets high-value endpoints (AI agent tooling, LLM platform credentials) rather than aiming for broad infections — a focused, sophisticated approach.
• The self-propagation mechanism means each infected developer machine can become a distribution point for further compromised packages.
• Socket noted similarities to TeamPCP's CanisterWorm attacks, though attribution is not confirmed.
• Multi-ecosystem (npm + PyPI) capability means defenders need to check both package registries.

What to do

• Remove all listed package versions from development environments and CI/CD pipelines immediately.
• Rotate all potentially exposed credentials: API keys, cloud tokens, SSH keys, npm auth tokens, LLM platform keys.
• Check for internal package mirrors, artifacts, and caches that may hold compromised versions.
• Audit for related packages sharing the same public.pem file, webhook host, or postinstall pattern.
• Use Socket or StepSecurity IOCs to scan for compromised development environments.

Sources

• BleepingComputer — npm Supply-Chain Attack Self-Spreads
• Socket — Namastex npm Packages Compromised (CanisterWorm)
• StepSecurity — pgserve Compromised on npm