CanisterWorm: the npm supply chain worm that exfiltrates through a blockchain

Every conventional C2 takedown playbook starts with the same two steps: seize the domain, null-route the IP. CanisterWorm removes both options. The payload exfiltrates stolen credentials to a smart contract running on the Internet Computer Protocol (ICP) blockchain — infrastructure operated by a decentralized network of independent nodes with no registrar to call, no hosting provider to contact, and no single point to sinkhole. The Namastex-linked npm packages first reported by Socket on April 22, 2026 are the clearest live example of supply-chain malware adopting decentralized infrastructure as C2. The payload mechanics are in the same family as the TeamPCP campaign and the Shai-Hulud worm. The exfil channel is not.

What we know

• April 22, 2026 — Socket Research Team reports malicious versions across packages in the @automagik, @fairwords, and @openwebconcept npm namespaces, plus the standalone pgserve package. Threat hunting on shared IOCs and code patterns surfaced the full affected version list.
• Affected versions (reported by Socket): @automagik/genie 4.260421.33–4.260421.39; pgserve 1.1.11–1.1.13; @fairwords/websocket 1.0.38–1.0.39; @fairwords/loopback-connector-es 1.4.3–1.4.4; @openwebconcept/design-tokens 1.0.3; @openwebconcept/theme-owc 1.0.3.
• Toolchain link: The payload contains the string Technique: .pth file injection (TeamPCP/LiteLLM method) — a self-attribution comment referencing the same campaign cluster tracked across the Trivy, Bitwarden, Checkmarx, and SAP compromises.

An adversary who puts their campaign name in their own malware is making a statement about confidence in the infrastructure. When the C2 is a decentralized blockchain canister that no takedown notice can reach, that confidence is operationally grounded.

Payload mechanics

The compromised packages install a postinstall hook that runs node dist/env-compat.cjs || true. The || true tail is deliberate: it ensures npm install exits cleanly regardless of payload execution outcome, suppressing the error signal a defender might otherwise catch. The loader decodes and decrypts additional stages using AES-256-CBC with RSA-OAEP-SHA256 key wrapping — the RSA public key is embedded in dist/public.pem.

Credential collection scope is broad:

• npm tokens from .npmrc
• SSH keys and git credentials
• Cloud provider configuration — AWS, Azure, GCP CLI configs and credential files
• CI/CD secrets — environment variables, runner token files
• Browser artifacts — session cookies, saved credentials from Chromium-family browsers
• Cryptocurrency wallet files — Electrum, MetaMask, and similar
• Shell history and .env* files

The payload also includes PyPI propagation logic: when Python credentials are present, it uses Twine to publish malicious PyPI packages with a .pth file injector — the same technique referenced in the self-attribution string. .pth files in Python's site-packages execute at interpreter startup, meaning every subsequent python invocation in the environment runs attacker code.

The ICP canister exfil channel

Stolen data is staged and sent to two endpoints: a conventional HTTPS endpoint at telemetry.api-monitor[.]com and an ICP canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io. The ICP endpoint is the operationally significant one.

Internet Computer canisters are WebAssembly smart contracts running on ICP's decentralized node network. Key properties that make them attractive for malicious exfil:

• No registrar. The canister ID (cjn37-uyaaa-aaaac-qgnva-cai) is a content-addressed identifier in the ICP namespace, not a domain registration. ICANN has no jurisdiction. No domain seizure is possible.
• No hosting provider. Canisters run across a distributed set of independent node providers. No single AS, datacenter, or hosting company can be compelled to take it down.
• HTTPS-accessible via boundary nodes. The raw.icp0.io gateway exposes canisters over standard HTTPS on a domain that appears in many allowlists. Traffic is indistinguishable from normal web API calls to external services.
• Persistent by design. ICP canisters run indefinitely as long as they have cycles (ICP's compute billing unit). The attacker pre-funds the canister; it stays up.

The conventional exfil endpoint (telemetry.api-monitor[.]com) is presumably the primary collection point, with the ICP canister as a resilient backup. If the conventional endpoint is blocked or seized, the ICP channel continues receiving data.

Worm propagation

Every stolen npm publish token is enumerated for packages the token can publish to. The payload downloads the current tarball, increments the patch version, injects the postinstall hook and payload files, and publishes the new malicious version. The PyPI propagation path follows the same pattern with Twine. Socket tracks the spreading package graph under the CanisterSprawl tracker.

The combination of npm and PyPI propagation in the same payload is the widest-surface worm vector in the current supply-chain campaign cluster. Shai-Hulud propagates through npm only (via OIDC token theft). CanisterWorm adds PyPI as a second propagation surface.

Targeting

• JavaScript developers using the @automagik, @fairwords, and @openwebconcept namespaces — AI tooling, WebSocket infrastructure, and WordPress/React design token consumers.
• PostgreSQL and Node.js backend teams using pgserve.
• CI/CD environments with npm or PyPI publish access — both token classes are explicitly targeted for worm propagation.
• Cryptocurrency-adjacent developers — the browser artifact and wallet file collection suggests deliberate targeting of users likely to hold crypto.

Indicators of compromise

File hashes (SHA-256, reported by Socket):

• dist/env-compat.cjs — c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839
• dist/public.pem — 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812

RSA public key fingerprint (DER SHA-256):

• 87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e

Distinctive strings in payload:

• node dist/env-compat.cjs || true
• pkg-telemetry
• dist-propagation-report
• pypi-pth-exfil
• Technique: .pth file injection (TeamPCP/LiteLLM method)

Network indicators (defanged):

• telemetry.api-monitor[.]com
• cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io

Detection and mitigation

• Block and remove affected versions. Search lockfiles for the listed package versions. If any are present, treat the host as compromised.
• Rotate all exposed credentials. npm tokens, GitHub PATs and OIDC tokens, cloud credentials (AWS/Azure/GCP), SSH keys, Kubernetes service account tokens, any secrets in environment variables or .env files on the affected host.
• Audit for worm propagation. If the environment held npm or PyPI publish tokens, check the registry for unexpected patch releases on any package those tokens could access.
• Hunt for .pth file injection. If PyPI credentials were present, inspect site-packages directories on all Python environments for unexpected .pth files. A .pth file containing executable code (rather than just a path) is malicious.
• Block ICP gateway egress. raw.icp0.io is not a destination CI/CD runners have legitimate reason to call. Adding it to egress deny lists blocks the ICP exfil channel without affecting conventional web traffic. Note: the conventional endpoint (telemetry.api-monitor[.]com) should be blocked as well, but the ICP channel is the harder one to catch without explicit policy.
• Enable --ignore-scripts by default in CI. The entire postinstall execution chain is blocked by this flag. Allowlist packages that genuinely require lifecycle hooks.

Attribution

The in-payload string Technique: .pth file injection (TeamPCP/LiteLLM method) is self-attribution — the operator explicitly names the TeamPCP campaign cluster in their own malware. Socket reports the IOCs and code patterns overlap with prior CanisterWorm-style activity tracked in the CanisterSprawl tracker. The TeamPCP campaign has been running since at least March 2026 across npm, PyPI, Docker Hub, GitHub Actions, and VS Code extension marketplaces. CanisterWorm shares that toolchain and adds the ICP exfil channel as a distinguishing infrastructure element. Whether this is the same operator or a team using TeamPCP tooling is not settleable from public evidence.

Criminal-market signal

Dark-web sweep results will be added here upon completion.

What the ICP channel signals

Decentralized infrastructure as C2 is not a new idea in theoretical security research. CanisterWorm is among the first documented cases of it being deployed in an active supply-chain campaign at scale. The practical implication for defenders: domain-based blocklists and takedown requests don't apply to raw.icp0.io. Blocking the ICP gateway hostname is a blunt instrument — it blocks all ICP-hosted content, not just the malicious canister. The right control is egress policy: CI runners and developer workstations have no legitimate reason to call ICP boundary nodes.

The broader pattern — npm worms with increasingly resilient exfil infrastructure — connects to Shai-Hulud (OIDC-driven propagation, private GitHub repo exfil) and CVE-2026-12091 (Cloudflare-fronted C2). Each campaign in this cluster iterates on the exfil channel. The install-time execution vector and the credential collection scope are stable; the C2 architecture is the variable that defenders need to track.