A significant threat has emerged within the npm ecosystem, as malicious versions of packages from Namastex.ai have been identified carrying the CanisterWorm malware. This malware acts as a self-propagating backdoor, replicating the attack methods associated with the hacker group TeamPCP.
The Threat of CanisterWorm in npm Packages
The operation discreetly substitutes legitimate package content with infected code, facilitating its spread across all accessible namespaces using stolen credentials. Such tactics align with TeamPCP’s known operations, where attackers obtain npm publishing tokens, presumably via compromised CI/CD pipelines.
These tokens are then exploited to strip genuine functionality from legitimate packages, replacing them with harmful code before republishing under trusted package names. The compromised Namastex.ai packages appeared as standard patch updates, complete with copied README files and metadata, complicating detection efforts by developers and security tools.
Research and Analysis of the Malware Campaign
Researchers at Socket.dev, during a broader investigation into the CanisterWorm supply chain attack campaign, discovered this threat. By March 2026, the campaign had escalated to over 135 malicious package artifacts spread across more than 64 unique packages.
According to the Socket Research Team, the Namastex.ai packages demonstrated the same techniques observed in previous CanisterWorm activities, indicating shared infrastructure among attackers and a consistent payload design across various victim namespaces.
The name ‘CanisterWorm’ derives from the malware’s method of communicating with its operators. Instead of using a conventional server, it utilizes an Internet Computer Protocol (ICP) canister as a command and control channel, allowing attackers to update payloads without altering the running implant, thus resisting standard takedown efforts.
Propagation and Impact of CanisterWorm
CanisterWorm’s distinct characteristic is its self-propagation capability, distinguishing it from typical credential-stealing malware. Upon package installation, a hidden postinstall hook activates silently. This script executes a findNpmTokens() function that retrieves npm authentication tokens from multiple sources, including the ~/.npmrc file, project-level .npmrc files, and environment variables like NPM_TOKEN.
These stolen tokens are passed to a secondary script called deploy.js, which operates in the background. It queries the npm registry to find all packages the compromised token can publish to, increments their patch versions, injects the CanisterWorm payload, and republishes them using the –tag latest flag. Developers installing these packages without specifying exact versions unknowingly receive the infected release, becoming new vectors for propagation.
Apart from spreading, the malware collects environment variables, SSH keys, cloud credentials, Kubernetes tokens, Docker credentials, and TLS private keys. It also targets browser login storage and crypto wallet files linked to MetaMask and Phantom. Collected data is encrypted with RSA keys and sent over HTTPS to the ICP canister endpoint. If no RSA key is available, the malware defaults to plaintext transmission.
Recommendations for Affected Teams
Teams utilizing any Namastex.ai npm packages should consider all recent versions as potentially compromised. It is crucial to rotate npm tokens, GitHub tokens, cloud credentials, and SSH keys on systems where affected packages were installed. Auditing package publish history for unexplained version changes linked to the same maintainer tokens is also recommended.
Hunt across CI/CD artifact caches for known RSA public key fingerprints and file hashes related to this campaign. Implement install-time script analysis to detect postinstall hooks before execution. As cross-ecosystem propagation affecting PyPI has also been observed, Python environments sharing the same credentials should be reviewed immediately.
Stay updated with the latest developments by following our coverage on Google News, LinkedIn, and X. Set CSN as your preferred news source on Google for instant updates.
