Supply‑Chain Worm in npm Packages Steals Auth Tokens and Self‑Propagates
What Happened – Researchers at Socket and StepSecurity uncovered a worm‑like supply‑chain attack targeting the npm ecosystem. Malicious code was injected into 16 packages published by Namastex Labs, harvesting tokens, API keys, SSH keys, cloud‑service credentials, and even cryptocurrency wallet data, then republishing compromised packages to spread further.
Why It Matters for TPRM –
- Credential theft from development environments can cascade into cloud‑infrastructure breaches.
- The self‑propagating nature enables rapid infection of downstream projects and CI/CD pipelines, expanding the attack surface of any third‑party software you depend on.
Who Is Affected – Companies using npm packages for AI agents, database tooling, or any Node‑based development workflow; SaaS providers, cloud‑native platforms, and enterprises with CI/CD pipelines that ingest third‑party packages.
Recommended Actions –
- Immediately remove the listed malicious package versions from all environments and CI/CD systems.
- Rotate all npm publish tokens, API keys, and other secrets that may have been exposed.
- Enforce strict token‑scoping and store credentials outside of environment variables and
~/.npmrc. - Implement automated supply‑chain scanning for newly published packages.
Technical Notes – The attack leverages compromised npm publish tokens to inject a payload that extracts secrets (tokens, API keys, SSH keys, cloud credentials, LLM platform keys, Kubernetes configs) and cryptocurrency wallets from Chrome/Firefox. It then republishes infected packages with higher version numbers, creating a recursive worm. The same technique can target PyPI if Python tokens are present. Source: BleepingComputer