A significant supply chain attack has emerged within the npm ecosystem, targeting packages associated with Namastex.ai. These compromised packages have been found to deliver CanisterWorm malware, a self-propagating backdoor reminiscent of tactics employed by the threat actor known as TeamPCP. This malware not only replaces legitimate package contents with malicious code but also spreads across all accessible namespaces using stolen credentials.
The Attack Mechanism
The attackers gained access to valid npm publishing tokens, likely through a compromised Continuous Integration/Continuous Deployment (CI/CD) pipeline. With these tokens, they stripped original functionalities from legitimate packages, injected malicious code, and republished them under the same trusted package names. The affected Namastex.ai packages appeared as routine patch updates, complete with copied README files and familiar metadata, making detection challenging for developers and automated security tools.
Discovery and Attribution
Researchers at Socket.dev identified this threat during a broader investigation into the CanisterWorm supply chain attack campaign. By late March 2026, the campaign had expanded to over 135 malicious package artifacts across more than 64 unique packages. The Namastex.ai packages exhibited the same tradecraft seen in earlier CanisterWorm activities, indicating shared attacker infrastructure and consistent payload design across different victim namespaces.
The name CanisterWorm derives from the malware’s communication method. Instead of using a traditional server, the backdoor polls an Internet Computer Protocol (ICP) canister acting as a dead-drop command and control channel. This design allows attackers to rotate second-stage payloads without modifying the implant already running on infected systems, making it resistant to standard takedown efforts. A Wiz investigation report released on March 20, 2026, attributed the campaign to TeamPCP, the same threat actor previously linked to attacks on Aqua Security’s Trivy tool.
Self-Propagation Mechanism
CanisterWorm distinguishes itself from typical credential-stealing malware through its built-in worm behavior. Upon installation of the infected package, a hidden post-install hook executes immediately, running in the background without terminal warnings or prompts. This script executes a function that reads npm authentication tokens from various locations, including the ~/.npmrc file, project-level .npmrc files, environment variables such as NPM_TOKEN, and live npm configuration queries.
The stolen tokens are then passed to a secondary script, which operates as a fully detached background process. This script queries the npm registry to identify every package the compromised token can publish to, increments the patch version of each, injects the CanisterWorm payload, and republishes with the –tag latest flag. Consequently, any developer who installs these packages without specifying an exact version will unknowingly receive the infected release, thereby becoming a new propagation vector.
Data Collection and Exfiltration
Beyond its propagation capabilities, the CanisterWorm payload collects a wide array of sensitive information, including:
– Environment variables
– SSH keys
– Cloud credentials for AWS, Azure, and GCP
– Kubernetes service account tokens
– Docker registry credentials
– TLS private keys
– Browser login storage
– Cryptocurrency wallet files linked to MetaMask and Phantom
The collected data is exfiltrated using RSA public key encryption over HTTPS to the ICP canister endpoint. If no RSA key is present on the target system, the malware defaults to plaintext delivery.
Mitigation and Recommendations
Organizations and developers using any packages from the Namastex.ai npm namespace should treat all recent versions as potentially compromised. Immediate actions include:
– Rotating npm tokens
– Changing GitHub tokens
– Updating cloud credentials
– Conducting thorough security audits of all dependencies
Implementing strict version pinning, utilizing automated security scanning tools, and maintaining vigilant monitoring of CI/CD pipelines can help prevent similar supply chain attacks in the future.
