Self-propagating npm worm hits Namastex Labs packages, steals secrets across npm, PyPI, and crypto wallets

A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.

Check

Search your package-lock and yarn.lock files and private registry caches for any of the listed Namastex Labs versions, and then rotate every credential that has ever been present on a machine that installed them.

Affected

Confirmed malicious versions per Socket: @automagik/genie 4.260421.33 through 4.260421.39; pgserve 1.1.11 through 1.1.13; @fairwords/websocket 1.0.38 through 1.0.39; @fairwords/loopback-connector-es 1.4.3 through 1.4.4; @openwebconcept/theme-owc 1.0.3; @openwebconcept/design-tokens 1.0.3. Any additional npm package republished by an account whose publish token was exfiltrated by this worm is also potentially malicious.

Fix

Remove the listed versions from development environments, CI/CD runners, and private mirrors immediately. Rotate every secret the worm would have seen: npm publish tokens, PyPI tokens, cloud provider keys, CI/CD deploy keys, SSH keys, LLM platform API keys, container registry credentials, and any crypto wallet seeds stored in browser extensions on affected machines. Audit your package caches and internal mirrors for related packages that share the same public.pem file, webhook host, or postinstall pattern (Socket publishes IoCs for this). Pin production dependencies to known-good versions with integrity hashes and deny the newest versions of the affected packages in your package firewall until forensics is complete.