Feed
CriticalPublished 21 Apr 20266 packages · 16 versions

CanisterSprawl: self-propagating npm worm hits pgserve + Namastex packages

Summary

Socket and StepSecurity disclosed CanisterSprawl, a self-propagating npm worm that compromised at least 16 versions across Namastex Labs and related publishers from 21 April 2026. The postinstall hook harvests 38 env vars and filesystem secrets, encrypts via AES-256-CBC + RSA-4096, and exfiltrates to an Internet Computer Protocol canister. Stolen npm tokens are reused to publish further malicious versions. Tradecraft matches the earlier TeamPCP CanisterWorm campaign.

wormcredential-theftmaintainer-takeoverinfostealerobfuscation
Detected by
StepSecurity · Socket
Also known as
CanisterSprawl · CanisterWorm variant
Ecosystems
npm
Packages tracked
6

What happened

StepSecurity and Socket disclosed CanisterSprawl on April 21, 2026 — a self-propagating npm worm focused on Namastex Labs and adjacent publishers. At least 16 malicious versions were published across pgserve, @automagik/genie, @fairwords/websocket, @fairwords/loopback-connector-es, and the @openwebconcept design-token packages.

The postinstall hook harvests 38 environment-variable names plus filesystem secrets (SSH private keys, .npmrc, .aws/credentials, Chrome saved passwords). The data is encrypted with AES-256-CBC under a randomly-generated key, the key is sealed with the attacker's RSA-4096 public key, and the bundle is uploaded to an Internet Computer Protocol (ICP) canister rather than a normal HTTP endpoint. ICP canisters are immune to conventional domain-takedown, which is the operational point of using one as a drop.

Stolen npm tokens are immediately reused to publish new malicious versions of any other package the maintainer can publish to, which is how the worm hopped from Namastex into the Fairwords and OpenWebConcept namespaces. The tradecraft — env-var list, encryption layout, ICP canister exfil — matches the earlier TeamPCP CanisterWorm campaign closely enough that StepSecurity considers it the same operator infrastructure even though TeamPCP did not publicly claim this one.

If you resolved any affected version, rotate every npm token, cloud key, and SSH credential present on the machine, then block egress to *.raw.icp0.io and telemetry.api-monitor.com.

Affected packages (6)

  • npm@automagik/genie
    4.260421.334.260421.344.260421.354.260421.364.260421.374.260421.384.260421.39
  • npm@fairwords/loopback-connector-es
    1.4.31.4.4
  • npm@fairwords/websocket
    1.0.381.0.39
  • npm@openwebconcept/design-tokens
    1.0.3
  • npm@openwebconcept/theme-owc
    1.0.3
  • npmpgserve
    1.1.111.1.121.1.13

Impact

  • Steals npm tokens, AWS/GCP/Azure credentials, SSH keys, Chrome passwords
  • Self-replicates to additional packages via stolen publish tokens
  • Exfiltration to ICP canister immune to domain takedown
  • Python .pth-based PyPI lateral path if PyPI creds are found

What to do

  1. 1Remove the listed versions and downgrade to the last legitimate release
  2. 2Rotate every npm token, cloud key, and SSH credential present on affected machines
  3. 3Block egress to *.raw.icp0.io and telemetry.api-monitor.com

References

npm-2026-04-21-canisterworm-pgserve-namastex