π―Imagine if someone sneaked into a library, changed the books to include secret codes, and then put them back on the shelves. That's what this malware does with software packages, and it's stealing important information while doing it!
What Happened
A serious supply chain threat has emerged in the npm ecosystem. Malicious versions of packages from Namastex.ai have been discovered, carrying CanisterWorm malware. This self-propagating backdoor mimics the attack style of the notorious threat actor known as TeamPCP. The malware silently replaces legitimate package contents with infected code, spreading across every namespace it can reach.
Recent investigations by application security firms Socket and StepSecurity have identified a total of 16 compromised packages from Namastex, including notable ones such as @automagik/genie, pgserve, and @fairwords/websocket. These packages are primarily used in AI tooling and database operations, indicating that the attack targets high-value endpoints rather than aiming for high-volume infections.
How It Works
The attack begins when the threat actor gains access to valid npm publishing tokens, likely through a compromised CI/CD pipeline. Using these tokens, the attacker modifies legitimate packages, stripping their original functionality and replacing it with malicious code. These altered packages are then republished under the same trusted names, making detection challenging for developers and automated security tools.
The injected malicious code collects sensitive data associated with various secrets, such as tokens, API keys, SSH keys, and credentials for cloud services, CI/CD systems, and even cryptocurrency wallets like MetaMask and Exodus. This capability allows the malware to propagate further by identifying and infecting every package that the compromised token can publish.
Who's Being Targeted
The affected packages from Namastex.ai appeared to be routine patch updates, complete with copied README files and familiar metadata. This method of attack targets developers who install these packages without pinning exact versions, allowing the malware to propagate further. The researchers noted that if PyPI credentials are found, the malware applies a similar method to Python packages, making this a multi-ecosystem attack.
Signs of Infection
Once the infected package is installed, a hidden postinstall hook activates immediately. This script runs a function that reads npm authentication tokens from various locations, including the user's configuration files and environment variables. It then uses these tokens to discover every package the compromised token can publish to, injecting the CanisterWorm payload and republishing the infected packages. The malware's recursive spread can occur quickly if conditions are met, as it executes the same process when newly infected packages are installed.
How to Protect Yourself
Teams using any packages from the Namastex.ai npm namespace should treat all recent versions as potentially compromised. Here are immediate steps to take: Additionally, since cross-ecosystem propagation targeting PyPI was also observed, review Python environments that share the same credentials. Socket and StepSecurity provide indicators of compromise to help defenders identify compromised development environments or defend them against this attack.
Detection
- 1.Rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys from any systems where affected packages were installed.
- 2.Audit package publish history for any unexplained version bumps linked to the same maintainer tokens.
- 3.Search CI/CD artifact caches for known RSA public key fingerprints associated with this campaign.
Removal
- 4.Enable install-time script analysis to flag postinstall hooks before execution.
- 5.Remove all identified malicious packages from development and CI/CD systems and rotate all potentially exposed secrets.
Conclusion
The CanisterWorm malware poses a significant threat to the npm ecosystem, with its ability to self-propagate and exfiltrate sensitive data. Developers and organizations must act swiftly to mitigate risks and protect their environments from this sophisticated attack.
The attack's sophistication lies in its ability to blend into legitimate development processes, making it crucial for organizations to implement strict version control and auditing practices.
