Self-propagating npm worm steals dev tokens and republishes via hijacked publish rights

A worm-class supply-chain attack is moving through the npm registry by abusing publish tokens it finds on compromised developer machines. Socket and StepSecurity identified 16 malicious versions across Namastex Labs packages, including @automagik/genie, pgserve, and @fairwords/* modules used in AI agent tooling and database plumbing — targets that favour high-value access over broad infection counts. The earliest known malicious release landed on pgserve at 22:14 UTC on April 21.

Once installed, the payload harvests tokens, API keys, SSH keys, cloud and CI/CD credentials, registry logins, LLM platform secrets, and Kubernetes and Docker configs, then scrapes Chrome and Firefox for crypto wallet data from MetaMask, Exodus, Atomic Wallet, and Phantom. If an npm publish token is present in environment variables or ~/.npmrc, the script enumerates packages the victim can publish, injects itself, bumps the version, and republishes — each new install repeats the loop. PyPI credentials trigger an equivalent .pth-based payload, making the campaign cross-ecosystem.

Techniques resemble TeamPCP’s CanisterWorm but attribution is unconfirmed. Defenders should purge the listed versions from dev boxes and CI/CD, rotate every potentially exposed secret, and hunt for related artefacts sharing the same public.pem, webhook host, or postinstall pattern flagged in the published IOCs.