A concerning supply chain attack has been discovered within the npm ecosystem, where malicious versions of packages from Namastex.ai are propagating a sophisticated backdoor malware known as CanisterWorm. This malware, exhibiting characteristics similar to the operations of the threat actor group TeamPCP, silently replaces legitimate code with infectious payloads and actively spreads across all namespaces accessible through compromised publishing credentials. This incident highlights a growing trend of sophisticated attacks targeting software development pipelines.
Researchers at Socket.dev identified the threat as part of a broader campaign of supply chain attacks involving malware that mimics the attack style of TeamPCP. The Namastex.ai packages were compromised by an attacker who likely obtained valid npm publishing tokens, possibly through a compromised continuous integration and continuous delivery (CI/CD) pipeline. The attacker then removed the original functionalities of legitimate packages, replaced them with malicious code, and republished them under the same trusted package names. These tainted releases were disguised as routine patch updates, featuring copied README files and familiar metadata, which significantly hampered detection efforts by both human developers and automated security tools.
By late March 2026, the CanisterWorm supply chain attack campaign had expanded, impacting over 135 malicious package artifacts distributed across more than 64 unique npm packages, according to Socket Research. The Namastex.ai packages demonstrated the same tactics, techniques, and procedures observed in earlier CanisterWorm activities. This suggests a shared infrastructure and a consistent payload design employed by the attackers across different victim namespaces.
Self-Propagation: How CanisterWorm Spreads
The distinguishing feature of CanisterWorm, setting it apart from typical credential-stealing malware, is its inherent worm-like propagation mechanism. Upon installation of an infected package, a hidden postinstall hook is triggered. This hook operates silently in the background, executing without any visible warnings or prompts to the user or the terminal. The script’s primary function is to locate and extract npm authentication tokens using a defined `findNpmTokens()` function. These tokens are sought from various common locations, including the `~/.npmrc` file, project-specific `.npmrc` files, environment variables such as `NPM_TOKEN`, and through live npm configuration queries.
Once extracted, the stolen npm tokens are passed to a secondary script named `deploy.js`. This script then executes as a fully detached background process. Its objective is to query the npm registry for all packages associated with the compromised token. It systematically increments the patch version of each discovered package and injects the CanisterWorm payload. The malicious package is then republished using the `–tag latest` flag, ensuring that any developer installing the package without specifying an exact version will unknowingly download the infected release, thereby becoming a new vector for the malware’s spread.
Beyond its self-propagation capabilities, the CanisterWorm payload is designed to exfiltrate a wide array of sensitive information. This includes environment variables, SSH keys, cloud credentials for major providers like AWS, Azure, and GCP, Kubernetes service account tokens, Docker registry credentials, and TLS private keys. Additionally, the malware targets browser login storage and cryptocurrency wallet files associated with popular wallets such as MetaMask and Phantom. Collected data is encrypted using RSA public key cryptography and transmitted over HTTPS to the specified Internet Computer Protocol (ICP) canister endpoint. In instances where no RSA key is found on the target system, the malware defaults to transmitting the data in plaintext.
The technical architecture of CanisterWorm, specifically its use of an ICP canister as a command and control (C2) channel, makes it highly resilient. This method allows attackers to rotate second-stage payloads without needing to interact with the implants already deployed on infected systems, thus evading common takedown strategies. A report released on March 20, 2026, by Wiz attributed this campaign to TeamPCP, the same threat actor previously linked to attacks involving Aqua Security’s Trivy tool, underscoring the persistent nature of this actor group.
Development teams utilizing any packages from the Namastex.ai npm namespace should immediately consider all recent versions to be potentially compromised. It is crucial to rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys for any systems where affected packages may have been installed. Auditing package publish histories for unusual or unexplained version increments associated with the same maintainer tokens is also recommended. Furthermore, organizations should investigate CI/CD artifact caches for the presence of the known RSA public key fingerprint and file hashes linked to this campaign. Implementing install-time script analysis to flag postinstall hooks before their execution is a vital preventative measure. Given that similar cross-ecosystem propagation logic targeting PyPI has been observed in related activities, Python environments that share the same credential stores should also be reviewed promptly.
The ongoing evolution of supply chain attacks necessitates continuous vigilance within the software development lifecycle. The complexity of CanisterWorm, particularly its self-propagation and resilient C2 mechanism, presents a significant challenge for defenders. As researchers continue to monitor these threats, the focus will likely shift towards developing more robust automated detection mechanisms and fostering stronger collaboration between security vendors and open-source communities to mitigate the impact of such sophisticated supply chain compromises.