Multiple npm packages tied to Namastex Labs (Automagik suite) have been compromised with malware closely resembling the TeamPCP CanisterWorm campaign. Affected packages include @automagik/genie (versions 4.260421.33–39), pgserve (1.1.11–1.1.13), and several @fairwords and @openwebconcept packages linked via a shared RSA public key. The malicious payload harvests secrets and credentials from developer environments (SSH keys, .npmrc, cloud credentials, browser/wallet data), exfiltrates data to a webhook and an Internet Computer Protocol (ICP) canister, and self-propagates by injecting malicious postinstall hooks into packages the victim can publish — including cross-ecosystem propagation to PyPI. Defenders should immediately remove affected versions, rotate all credentials, and audit publish history and package mirrors using the provided IOCs.
Table of contents
Why this looks like a compromise, not just a malicious new package #Tradecraft overlap with recent canister-backed npm worm #A second affected package: pgserve #Public key reuse links this activity to other malicious packages #IOCs and hunt pivots #What defenders should do now #Package Versions #Sort: