Critical Namastex npm Package Flaw Delivers CanisterWorm Malware
Key Takeaways Malicious versions of npm packages associated with Namastex.ai have been found distributing the self-propagating CanisterWorm malware. The attack leverages compromised npm publishing...
Key Takeaways
- Malicious versions of npm packages associated with Namastex.ai have been found distributing the self-propagating CanisterWorm malware.
- The attack leverages compromised npm publishing tokens to inject backdoors into legitimate packages, subsequently republishing them under their original names.
- CanisterWorm is a sophisticated supply chain threat that steals sensitive credentials and propagates itself across the npm ecosystem, mirroring the tactics of the TeamPCP threat actor.
- The malware uses an Internet Computer Protocol (ICP) canister for resilient command and control, enabling attackers to update payloads without direct interaction with infected systems.
- Organizations should immediately rotate credentials, audit package histories, and implement install-time script analysis if Namastex.ai npm packages have been used.
Critical Supply Chain Attack Hits Namastex.ai npm Packages with CanisterWorm Malware
A significant supply chain vulnerability has emerged within the npm ecosystem, with malicious versions of packages linked to Namastex.ai actively distributing the CanisterWorm malware. This sophisticated, self-propagating backdoor, which security researchers have extensively detailed, exhibits operational characteristics highly consistent with the notorious TeamPCP threat actor.
Table Of Content
The attack mechanism involves the stealthy replacement of legitimate package contents with malicious code. Utilizing stolen credentials, the malware then spreads across every accessible namespace, silently compromising additional packages.
This campaign aligns with the established modus operandi of TeamPCP, a threat actor known for compromising valid npm publishing tokens, likely via vulnerable CI/CD pipelines. Once access is gained, the attacker strips original functionality from trusted packages, injects their malicious payload, and then republishes them under their authentic names.
The compromised Namastex.ai packages were released as seemingly routine patch updates. They meticulously replicated README files and metadata, making them exceedingly difficult for developers and automated security tools to detect.
CanisterWorm’s Broad Reach and Unique C2 Infrastructure
Researchers at Socket.dev discovered this threat as part of a wider investigation into the CanisterWorm supply chain attack. By late March 2026, this campaign had expanded to encompass over 135 malicious artifacts across more than 64 unique packages. The Socket Research Team highlighted that the Namastex.ai compromises mirrored the tradecraft observed in earlier CanisterWorm incidents, indicating shared attacker infrastructure and a consistent payload design across diverse victim environments.
The name “CanisterWorm” originates from a critical technical aspect of its communication with operators. Instead of relying on conventional servers, the backdoor employs an Internet Computer Protocol (ICP) canister as a dead-drop command and control (C2) channel. This innovative design allows attackers to rotate second-stage payloads without directly interacting with the implant on infected systems, significantly bolstering its resilience against standard takedown efforts.
A Wiz investigation report, published on March 20, 2026, definitively attributed the campaign to TeamPCP, the same threat actor previously linked to attacks targeting Aqua Security’s Trivy tool.
Self-Propagation: How CanisterWorm Spreads
What distinguishes CanisterWorm from typical credential-stealing malware is its embedded worm-like propagation capability. Upon installation of an infected package, a hidden postinstall hook is immediately triggered. This script executes in the background without any terminal warnings or prompts, making its operation clandestine.
The script initiates a findNpmTokens() function, designed to extract npm authentication tokens from various locations. These include the ~/.npmrc file, project-level .npmrc files, environment variables such as NPM_TOKEN, and live npm configuration queries.
The stolen tokens are then passed to a secondary script, deploy.js, which runs as a fully detached background process. This script queries the npm registry to identify every package the compromised token has publishing rights to. For each identified package, it increments the patch version, injects the CanisterWorm payload, and republishes it using the --tag latest flag. Consequently, any developer installing these packages without specifying an exact version will silently receive the infected release, inadvertently becoming a new vector for propagation.
Beyond its propagation mechanism, the CanisterWorm payload is designed to harvest a wide array of sensitive data. This includes environment variables, SSH keys, cloud credentials for AWS, Azure, and GCP, Kubernetes service account tokens, Docker registry credentials, and TLS private keys. The malware also targets browser login storage and cryptocurrency wallet files associated with MetaMask and Phantom. Exfiltrated data is encrypted using RSA public key encryption and transmitted over HTTPS to the ICP canister endpoint. If an RSA key is not present on the target system, the malware defaults to transmitting data in plaintext.
What You Should Do
- Rotate Credentials Immediately: If your organization has used any packages from the Namastex.ai npm namespace, assume all recent versions are potentially compromised. Promptly rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys from any systems where these affected packages were installed.
- Audit Package Publish History: Scrutinize package publish histories for any unexplained version bumps linked to the same maintainer tokens.
- Hunt for Malware Artifacts: Search CI/CD artifact caches for the known RSA public key fingerprint and file hashes associated with this campaign.
- Enable Install-Time Script Analysis: Implement and enable tools that perform install-time script analysis to flag suspicious postinstall hooks before they execute.
- Review Python Environments: Given that cross-ecosystem propagation logic targeting PyPI was observed in related activities, thoroughly review Python environments that share credentials with potentially compromised npm environments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.