A new software supply chain attack has once again put developers on high alert, this time involving malicious npm packages linked to the Namastex ecosystem. Security researchers have discovered that these packages are spreading a sophisticated strain of malware that closely resembles the behavior of earlier CanisterWorm campaigns, raising concerns about evolving threats in open-source environments.

What makes this incident particularly alarming is how familiar the attack pattern looks. Much like previous operations associated with TeamPCP-style tactics, the malicious code is triggered during the installation process itself. This means developers can unknowingly infect their systems simply by installing what appears to be a legitimate package. Once executed, the malware begins harvesting sensitive information from the infected machine and quietly sends it back to attacker-controlled servers.

The affected packages include versions of @automagik/genie and pgserve, but the activity doesn’t stop there. Researchers have also identified suspicious behavior tied to other namespaces such as @fairwords and @openwebconcept. While the full scale of the campaign is still under investigation, the similarities in code structure, infrastructure, and attack techniques strongly suggest either shared origins or direct reuse of previously deployed malware.

Once inside a system, the malware behaves far beyond a typical trojan. It actively searches for valuable secrets stored on the developer’s machine, including configuration files, SSH keys, cloud credentials, and environment variables. It also digs into shell history and version control data, looking for any trace of authentication tokens or access credentials that could be exploited further.

Even more concerning is its ability to target browser data and cryptocurrency wallets. Artifacts linked to Chrome-based browsers, as well as wallets like MetaMask, Phantom, and others used for Ethereum, Solana, and Bitcoin, are specifically targeted. This indicates that the attackers are not only interested in enterprise access but also in financial assets.

To exfiltrate this data, the malware uses multiple channels. Information is sent through standard HTTPS webhooks as well as through Internet Computer Protocol (ICP) canister endpoints, making detection and tracking more difficult. In some instances, the stolen data is encrypted using strong algorithms like RSA and AES before being transmitted, adding another layer of stealth.

What truly sets this campaign apart is its ability to spread. The malware attempts to extract npm authentication tokens from infected machines, identify packages the victim has publishing rights to, inject malicious scripts, and republish them—effectively turning compromised developers into distribution points. Researchers have even observed cross-platform propagation techniques targeting PyPI repositories, showing that the attackers are aiming to expand beyond the npm ecosystem.

This incident highlights a growing trend in supply chain attacks, where trust in open-source packages is being exploited at scale. For organizations and developers alike, it’s a clear reminder to audit dependencies carefully, monitor unusual install-time behavior, and implement stricter controls around package publishing and credential management.

.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading