Compromised Namastex npm packages spread CanisterWorm in TeamPCP-style supply chain attack

A new npm supply chain attack hit packages tied to Namastex.ai, turning trusted package names into delivery vehicles for CanisterWorm, a self-propagating backdoor that steals credentials and republishes infected packages from compromised publisher accounts. Socket researchers say the malicious Namastex releases match the same tradecraft seen in earlier CanisterWorm activity, which had already spread across dozens of npm packages by late March.

The attack stands out because it does not stop at initial infection. Once a malicious package is installed, the malware looks for npm publishing tokens, identifies every package the stolen token can modify, bumps the patch version, injects its payload, and republishes the compromised package under the same trusted name. That turns every infected developer environment into a possible launch point for the next wave.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Researchers link this campaign to the same broader operation associated with TeamPCP, the actor previously tied to the Trivy and KICS supply chain attacks. Wiz said related worm-like activity appeared on npm shortly after the Trivy compromise and used the same ICP-based infrastructure, while Socket and Aikido both described the npm malware as CanisterWorm.

How the Namastex compromise worked

Socket says the attacker likely gained access to valid npm publish credentials, possibly through a compromised CI/CD pipeline or stolen maintainer tokens. With that access, the attacker removed the original package logic, inserted malicious code, and republished the package as what looked like a normal patch update, complete with familiar metadata and copied README content.

That made the malicious releases hard to spot during routine development. A patch-level version bump rarely triggers the same scrutiny as a major upgrade, and any project that allowed floating versions instead of exact pins could silently pull the poisoned release during the next install.

Socket said its broader CanisterWorm investigation had expanded to more than 135 malicious package artifacts across over 64 unique packages by late March 2026. The Namastex packages appear to follow the same payload design, propagation logic, and infrastructure pattern as the earlier wave.

Why CanisterWorm is different

CanisterWorm is more than a credential stealer. It includes worm-like behavior that actively hunts for npm authentication material after installation. Socket and Aikido both reported that the malware reads tokens from places such as ~/.npmrc, project-level .npmrc files, environment variables like NPM_TOKEN, and active npm configuration sources.

The exfiltration and command flow also stand out. Instead of relying on a standard command-and-control server, CanisterWorm uses an Internet Computer Protocol canister as a dead-drop endpoint. That design lets the attacker rotate follow-on payloads or update instructions without modifying the implant already running on infected systems.

Once the malware gets valid publish rights, it can query the npm registry, enumerate packages under the compromised token, bump versions, inject the malicious payload, and republish them with the latest tag. That means a single stolen token can quickly turn into a multi-package compromise across one namespace or even several connected projects.

What data the malware tries to steal

Socket said the malware targets a wide range of developer and cloud secrets. That includes npm tokens, SSH keys, cloud credentials for AWS, Azure, and GCP, Kubernetes service account tokens, Docker registry credentials, TLS private keys, browser login data, and wallet files associated with MetaMask and Phantom.

This aligns with the actor’s earlier behavior. Wiz, Endor Labs, and Socket have all described TeamPCP-linked activity as focused on developer secrets and CI/CD credentials that can unlock broader compromise across repositories, registries, cloud environments, and release pipelines.

In practical terms, that means the risk reaches far beyond one npm package. A compromised developer workstation or CI runner may expose the secrets needed to tamper with more packages, cloud workloads, internal repos, or container registries.

Key facts at a glance

The table reflects reporting from Socket, Wiz, and Aikido on the March to April 2026 campaign.

What developers should do now

• Treat recent Namastex.ai package versions as potentially compromised until verified against a trusted source.
• Rotate npm tokens, GitHub tokens, SSH keys, cloud credentials, and any secrets present on systems that installed affected packages.
• Audit npm publish history for unexplained patch bumps or releases that do not match source control history.
• Review CI/CD caches and logs for signs of token theft, unauthorized publishes, or unusual install-time scripts.
• Enable install-script inspection and pin exact package versions wherever possible.
• Check Python environments too, because related campaign activity has shown cross-ecosystem behavior beyond npm.

FAQ