A new supply chain threat has emerged within the npm ecosystem, involving malicious versions of packages from Namastex.ai that deliver the CanisterWorm malware. This malware acts as a self-propagating backdoor, mirroring the tactics of the threat actor known as TeamPCP. The attack involves replacing legitimate package contents with infected code, which then spreads across namespaces accessible via stolen credentials.
The threat actor gained access to npm publishing tokens, likely through a compromised CI/CD pipeline, allowing them to strip original functionality from legitimate packages and replace it with malicious code. These packages were then republished under the same trusted names, making detection challenging for developers and automated security tools. The campaign, identified by researchers at Socket.dev, expanded to over 135 malicious package artifacts across more than 64 unique packages by March 2026.
The CanisterWorm malware communicates with its operators using an Internet Computer Protocol (ICP) canister, acting as a command and control channel. This design allows attackers to rotate payloads without altering the implant on infected systems, making it resistant to standard takedown efforts. The malware’s worm-like behavior is triggered by a hidden postinstall hook that steals npm authentication tokens and uses them to propagate the infection across the npm registry.
Once installed, the malware collects a wide range of sensitive data, including environment variables, SSH keys, cloud credentials, and browser login storage. This data is exfiltrated using RSA public key encryption over HTTPS to the ICP canister endpoint. If no RSA key is available, the malware defaults to plaintext delivery.
Teams using Namastex.ai npm packages should treat all recent versions as potentially compromised. It is advised to immediately rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys from affected systems. Additionally, auditing package publish histories for unexplained version changes and enabling install-time script analysis can help detect and prevent further infections. Python environments sharing the same credentials should also be reviewed due to observed cross-ecosystem propagation logic targeting PyPI.
Source: https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm