Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware
A supply chain attack targeting npm packages associated with Namastex.ai has been discovered, utilizing CanisterWorm-style malware. The malicious packages execute upon installation to harvest developer credentials, cloud secrets, and cryptocurrency wallets, exfiltrating data to an ICP canister and webhooks while attempting to self-propagate across the npm and PyPI ecosystems.
Source:
Socket
- domaintelemetry[.]api-monitor[.]comWebhook domain used for exfiltrating stolen credentials and telemetry.
- sha256834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812Hash of dist/public.pem, the bundled RSA public key used to encrypt stolen data.
- sha256c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839Hash of the malicious payload file dist/env-compat.cjs.
- urlcjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io/dropInternet Computer Protocol (ICP) canister endpoint used for dead-drop exfiltration.
- urlhxxps://telemetry[.]api-monitor[.]com/v1/telemetryPrimary webhook URL for data exfiltration.
Key Takeaways
- Malicious npm packages linked to Namastex.ai (@automagik/genie, pgserve) were compromised with CanisterWorm-style malware.
- The malware executes at install-time via postinstall hooks to harvest sensitive developer secrets, cloud credentials, and crypto-wallet data.
- Exfiltration occurs via a conventional webhook and an Internet Computer Protocol (ICP) canister endpoint.
- The payload includes self-propagation logic to steal npm tokens and PyPI credentials to infect and republish other packages.
Affected Systems
- Developer workstations
- CI/CD pipelines
- npm ecosystem
- PyPI ecosystem
- Linux/macOS environments (implied by targeted file paths)
Attack Chain
The attack begins when a developer installs a compromised npm package, triggering malicious code execution via a postinstall hook. The malware harvests sensitive environment variables, cloud credentials, SSH keys, and crypto-wallet data from the local system. Stolen data is encrypted using a bundled RSA public key and exfiltrated to a webhook and an ICP canister endpoint. Finally, the malware attempts to self-propagate by extracting npm and PyPI tokens from the victim machine to inject and republish malicious packages.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but lists file hashes, domains, and distinctive strings for threat hunting.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can monitor process executions (like node.js reading sensitive files such as ~/.aws/credentials), but might miss the initial npm install context without specific supply chain monitoring. Network Visibility: Medium — Network monitoring can detect connections to the known malicious webhook and ICP canister domains, though the traffic is likely HTTPS encrypted. Detection Difficulty: Moderate — Detecting the specific exfiltration endpoints is straightforward, but distinguishing malicious npm postinstall activity from legitimate build scripts requires behavioral baselining.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Access (Sysmon 11)
- DNS Query (Sysmon 22)
- Network Connection (Sysmon 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for Node.js or Python processes reading multiple sensitive credential files (e.g., .aws/credentials, .npmrc, .ssh/id_rsa) in rapid succession. | File Access logs (EDR/Sysmon) | Credential Access | Medium |
| Identify outbound network connections from package managers (npm, pip) or their child processes to unusual domains, specifically raw.icp0.io or api-monitor.com. | Network Connection logs, DNS queries | Exfiltration | Low |
| Monitor for the creation or modification of Python .pth files in site-packages directories by unexpected processes. | File Creation logs | Persistence/Privilege Escalation | Low |
Control Gaps
- Lack of egress filtering for developer workstations
- Implicit trust in npm package postinstall scripts
Key Behavioral Indicators
- Node.js executing dist/env-compat.cjs
- Presence of X-Session-ID and X-Request-Signature headers in unexpected outbound traffic from dev tools
- sqlite3 accessing Chrome Login Data from a Node context
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block and remove the identified malicious package versions (@automagik/genie, pgserve, etc.) from all environments.
- Rotate all npm tokens, GitHub tokens, cloud credentials, and SSH keys present on affected systems.
Infrastructure Hardening
- Implement strict egress filtering on CI/CD pipelines and developer workstations to block unknown domains.
- Disable npm postinstall scripts globally (npm config set ignore-scripts true) where not strictly required.
User Protection
- Deploy endpoint monitoring to alert on unauthorized access to sensitive files (e.g., ~/.aws, ~/.ssh).
- Use hardware security keys (FIDO2) for critical infrastructure access to mitigate credential theft.
Security Awareness
- Educate developers on the risks of typosquatting and supply chain attacks.
- Establish a policy for reviewing new dependencies and their updates before integration.
MITRE ATT&CK Mapping
- T1195.001 - Compromise Software Dependencies and Development Tools
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1552.001 - Credentials In Files
- T1552.004 - Private Keys
- T1555.003 - Credentials from Web Browsers
- T1048 - Exfiltration Over Alternative Protocol
Additional IOCs
- Domains:
cjn37-uyaaa-aaaac-qgnva-cai[.]raw[.]icp0[.]io- ICP canister domain for exfiltration
- Urls:
hxxps://telemetry[.]api-monitor[.]com/v1/drop- Secondary webhook exfiltration URL
- File Paths:
~/.npmrc- Targeted for credential theft~/.ssh/- Targeted for SSH key theft~/.git-credentials- Targeted for credential theft~/.netrc- Targeted for credential theft~/.aws/- Targeted for cloud credential theft~/.config/gh/hosts.yml- Targeted for GitHub credential theft~/.kube/config- Targeted for Kubernetes credential theft~/.docker/config.json- Targeted for Docker credential theft/proc/*/environ- Targeted for environment variable theft on Linuxdist/env-compat.cjs- Malware payload filedist/public.pem- Bundled RSA public key
- Command Lines:
- Purpose: Execute malicious payload via postinstall hook | Tools:
node| Stage: Execution |node dist/env-compat.cjs
- Purpose: Execute malicious payload via postinstall hook | Tools:
- Other:
87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e- DER SHA-256 fingerprint of RSA public keycjn37-uyaaa-aaaac-qgnva-cai- Hardcoded ICP canister IDpkg-telemetry- Distinctive string in malwaredist-propagation-report- Distinctive string in malwarepypi-pth-exfil- Distinctive string in malwareX-Session-ID- Distinctive HTTP header string used by malwareX-Request-Signature- Distinctive HTTP header string used by malware@automagik/genie- Compromised npm packagepgserve- Compromised npm package@fairwords/websocket- Compromised npm package@fairwords/loopback-connector-es- Compromised npm package@openwebconcept/design-tokens- Compromised npm package@openwebconcept/theme-owc- Compromised npm package