New npm Supply-Chain Attack Self-Spreads to Steal Auth Tokens

What happened

A self-propagating npm supply chain attack has been identified by researchers at Socket and StepSecurity, with 16 packages from Namastex Labs, a provider of AI-based agentic tooling, already confirmed as compromised. The first malicious versions of the pgserve package were published on April 21 at 22:14 UTC, with two additional malicious releases following the same day.

The attack is designed to steal credentials and then spread itself. Once installed, the malicious code scans for npm publish tokens in environment variables and the ~/.npmrc configuration file, identifies every package the victim account has permission to publish, injects the payload into those packages, and republishes them to npm with an incremented version number. Each newly infected package repeats the same process when installed by another developer, enabling recursive spread across the ecosystem. If PyPI credentials are found on the same system, the attack applies a similar propagation method to Python packages via a .pth-based payload, making this a multi-ecosystem threat.

The malicious code collects a broad range of sensitive data including tokens, API keys, SSH keys, cloud service credentials, CI/CD system credentials, container registry credentials, LLM platform credentials, and Kubernetes and Docker configurations. It also attempts to extract data from Chrome and Firefox browsers, including cryptocurrency wallets such as MetaMask, Exodus, Atomic Wallet, and Phantom.

The targeted packages are used in AI agent tooling and database operations, meaning the attack focuses on high-value developer environments rather than broad consumer targets. Researchers noted similarities with TeamPCP’s CanisterWorm attacks in technique, though attribution has not been confirmed. Both Socket and StepSecurity have published indicators of compromise.

Who is affected

Developers and organizations that installed any of the 16 compromised Namastex Labs package versions are directly exposed. The self-propagating design means the attack can extend to any packages those developers have publish rights over, potentially reaching a much wider set of downstream users. Organizations running CI/CD pipelines that pull from npm are at particular risk given the automated, trusted nature of those workflows.

Why CISOs should care

This is not a passive credential stealer. It actively uses whatever access it finds to expand its own footprint across the ecosystem. A single developer installing one compromised package can become the vector through which the malware reaches every package that developer can publish, and then every developer who installs those packages. The recursive spread mechanism means the attack surface grows faster than most standard detection and response workflows are designed to handle.

The inclusion of PyPI as a secondary propagation target is also significant. A developer environment with both npm and PyPI credentials is a two-for-one opportunity for this malware, and the overlap between Python and JavaScript tooling in modern AI and cloud-native development stacks means that population is substantial.

3 practical actions

1. Remove all listed compromised package versions from development environments and CI/CD pipelines immediately: Treat every version in the identified range as malicious, audit internal package mirrors and artifact caches for cached copies, and verify that no downstream packages in your ecosystem were republished with the injected payload.
2. Rotate all credentials that may have been present on affected systems: This includes npm and PyPI publish tokens, API keys, SSH keys, cloud service credentials, CI/CD tokens, and any LLM platform credentials stored in environment variables or configuration files on developer machines that had the packages installed.
3. Audit npm publish token scope and restrict package publish permissions: Review which developer accounts hold publish rights across your npm packages and apply least-privilege principles. Tokens with broad publish access across multiple packages are exactly what this malware exploits to maximize spread.