Security researchers at Socket and StepSecurity have discovered malicious versions of two npm packages — pgserve (an embedded PostgreSQL server) and automagik (an AI coding CLI) — that steal credentials, SSH keys, cloud provider tokens (AWS, Azure, GCP), browser passwords, and crypto wallet data. The malware functions as a supply-chain worm: if it finds an npm publish token on the victim machine, it re-injects itself into every package that token can publish, potentially cascading through an entire organization. The stolen data is exfiltrated to a blockchain-hosted ICP canister that cannot be taken down by law enforcement. Security experts advise immediately rotating all credentials, disabling postinstall script execution via `npm config set ignore-scripts true`, scoping publish tokens with least privilege, hardening CI/CD egress controls, and using SCA tools that detect registry-to-repo mismatches.
Sort: