The Research Team reported on April 22, 2026, that CanisterWorm malware had been injected into Namastex.ai npm packages. This is the work of the TeamPCP hacker group which steals developer credentials, crypto wallets, SSH keys, and then starts infiltrating other packages. Learn what happened how it happened and how you can protect your developer environment.
April 22 2026 Today news has emerged that serves as a major warning to software developers worldwide. A dangerous malware called Canisterworm has been injected into the npm packages of Namastex.ai an AI tools company.
This malware not only steals data it also offers the ability to infect other packages. The system of one infected developer can infect thousands of other developers. And even more frightening: the C2 server of this malware is on a blockchain that no one can shut down.
What Is an npm Package?
When a developer builds software, they don’t write all the code themselves they use ready made building blocks called npm packages. These blocks are available to JavaScript and Node.js developers on the npm (Node Package Manager) registry. The developer enters a simple command npm install package-name and the library is automatically installed on their computer.
Millions of developers around the world install thousands of packages every day. This is a highly trusted system. But this trust is exploited in this attack. If malware is hidden within a package, the computers of all the developers who install that package are automatically compromised. This is a Supply Chain Attack not an attack on the system but on the supply chain.
Security tools themselves became the weapon the most diligent organizations, the ones scanning every build had the greatest exposure.
What Does CanisterWorm Malware Actually Do?
Canisterworm is a malware that doesn’t just do one thing it performs four different dangerous tasks simultaneously. Thats why security researchers are so concerned about it:
Four Main Functions of Malware
- 1 Secrets Harvest: Extracts AWS, Azure, Google Cloud keys; SSH keys database passwords Kubernetes tokens; Docker configs .env files shell history and all kinds of credentials from a developers computer everything is encrypted and sent out.
- 2 Browser & Crypto Wallet Theft: Chromes saved login data MetaMask Phantom, Solana, Ethereum, Bitcoin, Exodus and Atomic Wallet all are targets. A developers crypto wallet can be emptied without a trace.
- 3 Off-Host Exfiltration: All stolen data is sent to a hidden webhook server: telemetry.api-monitor[.]com as well as to a blockchain-based C2 canister cjn37-uyaaa…icp0[.]io
- 4The most dangerous part: Using the developer’s npm publishing tokens, it injects malware into other packages and republishes them. One infected developer thousands of infected users. There is logic to spread to PyPI (Python packages) as well.
A simple example Imagine you installed a water pipe in your house and someone injected poison into that pipe. Anyone who drank water from the pipe would also be poisoned. And if that water were distributed to other homes and they would also be poisoned. This is what a supply chain attack means poison in one place the entire chain infected.
Why Is Blockchain Based C2 So Dangerous?
Normal malware communicates with a regular server when that server is blocked or shut down, the malware stops working. CanisterWorm has found a genius but dangerous solution to this problem.
This malware runs its C2 (Command & Control) server on ICP (Internet Computer Protocol) a decentralized blockchain. Blockchain is not controlled by any single company or government. There is no single host no single IP. It cannot be conventionally shut down.
The attacker also has a built-in kill switch. If the canister URL returns a YouTube link, the malware does nothing. When it comes to launching a real attack and update the canister with the actual malicious URL. This makes CanisterWorm the first publicly documented npm worm that uses blockchain-based C2.
Who Is the TeamPCP Group?
TeamPCP also known as DeadCatx3, PCPcat, ShellForce and CipherForce, is a sophisticated cloud-native threat actor group. They previously targeted misconfigured Docker APIs Kubernetes clusters and Redis servers. However in 2026 they shifted their strategy and began targeting the software supply chain.
Their strategy is specific target security tools because security tools have elevated privileges by design. When a scanner like Trivy is compromised it can access all the secrets of the pipeline. This is a trusted security tool becomes the weapon approach.
And according to reportsTeamPCP has announced a partnership with the CipherForce and Vect ransomware groups meaning 300GB+ of stolen credentials are being used in ransomware attacks.TeamPCP is deliberately targeting security tools that run with elevated privileges by design compromising them gives the attacker access to some of the most sensitive environments.
Malicious Packages Detected Remove These Immediately
If these packages are installed in your project treat them as fully compromised:
@automagik/[email protected]
@automagik/[email protected]
@automagik/[email protected]
@automagik/[email protected]
@automagik/[email protected]
@automagik/[email protected]
@automagik/[email protected]
@fairwords/[email protected]
@fairwords/[email protected]
@fairwords/[email protected]
@fairwords/[email protected]
@openwebconcept/[email protected]
@openwebconcept/[email protected]
Simply deleting the package is not enough. If these packages are installed on your system all your credentials, AWS keys, SSH keys, browser passwords and npm tokens have potentially been stolen. Rotate immediately.
What Should You Do Now?
- Remove Infected Packages Immediately: Immediately remove all malicious package versions listed above from your projects CI/CD environments and artifact caches. Deleting alone isn’t enough; be sure to take the next step.
- Rotate All Credentials: Now npm tokens, GitHub Personal Access Tokens, AWS/Azure/GCP keys, SSH keys, database passwords and Kubernetes service account tokens everything that was on the machine where these packages were installed and rotate them all. This is mandatory, not optional.
- Check npm Publish History: If you maintain any npm packages, check that no unexpected versions were published from your account. If the token is stolen your packages could also be infected and you could be infecting others without even realizing it.
- Audit Internal Package Mirrors and Caches: If your organization uses a private npm registry or artifact cache malicious versions could be cached there as well. Be sure to hunt against IOCs.
- Compare npm with GitHub Tags: Compare the npm published versions of each package with the official tags in its GitHub repository. Versions that are on npm but not on GitHub are suspect. This is the easiest manual method for detecting Canisterworms.
- Check Crypto Wallets: If you’re a developer and use MetaMask, Phantom, or another browser walletcheck your wallet history. Have there been any unauthorized transactions? If in doubt create a new wallet and transfer assets.
Final Note
This incident is part of a broader and alarming trend. Supply chain attacks have become the biggest threat to cybersecurity in 2026. First SolarWinds (2020) then Codecov (2021) then Trivy (March 2026) and now Namastex. The pattern is don’t attack directly and poison the supply chain.
This means that you have secured your own code but if the libraries you are using are compromised, you are also vulnerable. Trust but verify is no longer an old principle now only verify and then trust applies. It is essential to check the source of every library every package and every dependency.
