Worm-Like Malware in npm Packages Steals Credentials and Targets PyPI
Malicious npm packages @automagik/genie and pgserve are spreading worm-like malware that steals credentials, cloud tokens, SSH keys, and cryptocurrency wallet data, with self-propagation capabilities extending to PyPI.
Security researchers at Socket have uncovered a sophisticated supply chain attack targeting the npm ecosystem, with malicious packages @automagik/genie and pgserve distributing malware that steals sensitive credentials and attempts to propagate like a worm across developer environments. The campaign, detailed in a report published April 24, 2026, mirrors earlier worm-style attacks that leveraged blockchain-hosted infrastructure for command and control.
The malicious packages execute their payload during npm installation, scanning infected systems for secrets stored in environment variables, configuration files, and developer artifacts. Targeted data includes cloud credentials, CI/CD tokens, SSH keys, and local files such as .npmrc and shell histories. The malware also attempts to access browser-stored data and cryptocurrency wallets, including Chrome profiles and extensions like MetaMask and Phantom.
Exfiltration occurs through two channels: a standard HTTPS webhook and an endpoint hosted on the Internet Computer Protocol (ICP) canisters. The stolen data can be encrypted using AES-256 and RSA methods, though researchers noted that plaintext fallback is possible, indicating the attackers prioritized operational simplicity over stealth in some cases.
A key feature of the malware is its self-propagation capability. The payload extracts npm tokens from the compromised system, identifies accessible packages, injects malicious code, and republishes them under the attacker's control. This enables further compromise across the npm ecosystem. Additionally, the malware includes functionality to propagate via Python's PyPI repository by generating malicious packages using .pth file injection when credentials are present.
Researchers observed similarities with prior TeamPCP-linked campaigns, including the use of post-install scripts and canister-based infrastructure. However, the exact source of the compromise remains under investigation. Evidence suggests that legitimate projects may have been hijacked, with inconsistencies between npm releases and Git tags raising suspicion.
One affected package has over 6,700 weekly downloads, highlighting the potential reach of the attack. Socket said the situation is still evolving, with additional malicious versions continuing to emerge and the full scope of the attack not yet confirmed. Developers are urged to audit their dependencies, rotate any exposed tokens, and monitor for suspicious activity in their CI/CD pipelines.