A Self-Propagating npm Worm Is Actively Spreading Through Developer Environments

Socket and StepSecurity flagged a live supply chain worm yesterday hitting packages from Namastex Labs, an agentic AI tooling company. The campaign is tracked as CanisterSprawl. At least 16 packages across multiple namespaces are confirmed compromised, new malicious versions are still being published, and the worm is actively trying to spread to every other package the victim developer can publish.

The full package list:

@automagik/genie (4.260421.33–4.260421.40), pgserve (1.1.11–1.1.14), @fairwords/websocket (1.0.38–1.0.39),

@fairwords/loopback-connector-es (1.4.3–1.4.4), @openwebconcept/design-tokens

@openwebconcept/theme-owc (1.0.1–1.0.3).

The pgserve versions appeared on npm from April 21, 22:14 UTC without corresponding Git tags, a release anomaly that’s also an IOC.

What the malware does

A 1,143-line credential harvesting script triggers via npm’s postinstall hook on install, no interaction required. It sweeps for environment variables, .npmrc files, SSH keys, cloud credentials (AWS, Azure, GCP), Kubernetes and Docker configs, Terraform and Pulumi state, .env files, shell history, and Vault data. Browser login data and crypto wallet files (MetaMask, Phantom, Solana, Ethereum, Bitcoin, Exodus, Atomic) are also targeted.

Stolen data goes to two exfiltration endpoints: telemetry.api-monitor[.]com (HTTPS webhook) and cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io (ICP canister). The canister-backed C2 mirrors TeamPCP’s earlier CanisterWorm technique, ICP canisters can’t be seized like a traditional server.

The worm behavior is the critical part

If the malware finds an npm publish token in environment variables or ~/.npmrc , it identifies every package that token can publish, increments the patch version, injects its payload, and republishes with --tag latest . Any developer who installs those packages without pinning an exact version gets an infected release and becomes the next propagation vector. If PyPI credentials are found, it applies the same method to Python packages via .pth . This is a multi-ecosystem worm.

Attribution

Socket notes “strong overlap” in tradecraft and code with TeamPCP’s CanisterWorm from March but stopped short of confident attribution. StepSecurity attributes it to TeamPCP. The canister ID is not identical to the original CanisterWorm canister. Investigation is ongoing.

Immediate actions

Remove all listed package versions from systems and CI/CD pipelines. Rotate every credential that could have been present on any machine running an affected install: npm tokens, SSH keys, cloud credentials, API keys. Check pgserve package scripts directories for check-env.js and public.pem as IOC artifacts. Review pipeline logs for installs of listed versions since April 21, 22:14 UTC. Audit npm token scope and revoke tokens not in active use. If PyPI credentials were also present, check Python environments for .pth injection.

Stay safe

- Alex