A dangerous cyber-attack wave targeting software developers has begun spreading through the NPM package manager, harvesting critical credentials. Security researchers detected the campaign starting April 21, propagating automatically through compromised accounts.
Socket and StepSecurity teams identified malicious code planted by attackers in 16 packages published by Namastex Labs. The malware does more than steal data — it uses the developer's auth tokens to inject itself into other packages. The targeting of AI-agent and database libraries indicates the campaign is aimed at high-value victims.
The worm-like mechanism scans environment variables and config files to abuse any NPM publishing tokens it finds, then republishes affected packages with bumped versions. Targets span SSH keys, cloud-service credentials, Kubernetes configurations, large-language-model access tokens, and MetaMask/Phantom crypto wallets stored in Chrome and Firefox. With PyPI credentials present, the attack expands to a cross-platform footprint.
Defenders consider rotating all authority tokens and removing affected versions from CI/CD pipelines critical. The developer community has tightened multi-factor authentication, and analysts are urging vigilance over unusual version bumps. The incident underscores how critical supply chain security has become in modern software.
Key Takeaways:
1. An April 21 worm-like attack hit NPM via Namastex Labs packages.
2. Socket and StepSecurity found malicious code in 16 packages.
3. Targets: SSH, cloud, Kubernetes, LLM tokens, MetaMask/Phantom wallets.
4. With PyPI credentials present, the attack goes cross-platform.
5. Rotating all CI/CD tokens and removing affected versions is now mandatory.
