Malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across developer ecosystems.
According to new research from Socket, the activity mirrors earlier worm-style supply chain attacks that used blockchain-hosted infrastructure, including Internet Computer Protocol (ICP) canisters, for command and control (C2).
Impacted packages include multiple versions of @automagik/genie and pgserve, both linked to developer tooling workflows. Researchers found the malware executes during installation, harvesting sensitive data and attempting to republish compromised packages using stolen credentials.
Malware Focuses on Sensitive Data
The payload scans infected systems for secrets stored in environment variables and configuration files. Targeted data includes cloud credentials, CI/CD tokens, SSH keys and local developer artifacts such as .npmrc and shell histories.
It also attempts to access browser-stored data and cryptocurrency wallets, including Chrome profiles and extensions like MetaMask and Phantom.
Exfiltration occurs through two channels: a standard HTTPS webhook and an ICP endpoint. Data can be encrypted using AES-256 and RSA methods, though plaintext fallback is possible.
Self-Propagation and Possible Repository Compromise
A key feature of the malware is its ability to spread. The malware extracts npm tokens, identifies accessible packages, injects malicious code, and republishes them, enabling further compromise across the ecosystem.
It also includes functionality to propagate via Python’s PyPI repository by generating malicious packages using .pth file injection when credentials are present.
Read more on similar threats: Malicious Machine Learning Model Attack Discovered on PyPI
Researchers observed similarities with prior TeamPCP-linked campaigns, including the use of post-install scripts and canister-based infrastructure. However, the exact source of the compromise remains under investigation.
Evidence suggests legitimate projects may have been hijacked. Some affected packages have active usage, with one showing over 6,700 weekly downloads. Inconsistencies between npm releases and Git tags further raise suspicion.
Socket said the situation is still evolving, with additional malicious versions continuing to emerge and the full scope of the attack not yet confirmed.
