A new supply chain attack targeting the npm ecosystem has compromised multiple Namastex Labs packages to steal developer credentials and secrets while attempting to self-propagate. Researchers from Socket and StepSecurity observed credential theft, data exfiltration, and worm-like republishing behavior similar to TeamPCPβs CanisterWorm, impacting packages such as pgserve and allowing cross-ecosystem spread to PyPI. #NamastexLabs #npm #CanisterWorm #pgserve #PyPI
Keypoints
- Attackers compromised multiple Namastex Labs npm packages to harvest developer credentials and secrets.
- Injected code exfiltrates tokens, API keys, SSH keys, cloud and CI/CD credentials, and browser wallets like MetaMask.
- The malware locates publish tokens and injects itself into any package the token can publish, republishing with increased versions to spread.
- Researchers noted overlap with techniques used in TeamPCPβs CanisterWorm but could not make a confident attribution.
- Recommended actions include removing affected package versions, rotating exposed secrets, auditing for shared indicators, and checking internal mirrors and caches.