{"id":16128,"date":"2026-04-23T00:31:52","date_gmt":"2026-04-23T00:31:52","guid":{"rendered":"https:\/\/newestek.com\/?p=16128"},"modified":"2026-04-23T00:31:52","modified_gmt":"2026-04-23T00:31:52","slug":"malicious-pgserve-automagik-developer-tools-found-in-npm-registry","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16128","title":{"rendered":"Malicious pgserve, automagik developer tools found in npm registry"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Application developers are being warned that malicious versions of pgserve, an embedded PostgreSQL server for application development, and automagik, an AI coding tool, have been dropped into the npm JavaScript registry, where they could poison developers\u2019 computers.<\/p>\n

Downloading and using these versions will lead to the theft of data, tokens, SSH keys, credentials, including those for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), crypto coins from browser wallets, and browser passwords. The malware also spreads to other connected PCs.<\/p>\n

The warnings came this week from researchers at two security firms.<\/p>\n

Researchers at Socket found fake packages<\/a> aimed at app developers looking for pgserve, an embedded PostgreSQL server for application development and testing, and automagik, an AI coding and agent-orchestration CLI from Namastex.ai.\u00a0The researchers said the attack contains similarities to a recent campaign dubbed CanisterWorm<\/a>, a worm-enabled supply chain attack that replaced the contents of legitimate packages with malware on npm.<\/p>\n

At the time of Socket\u2019s review,\u00a0the fake automagik\/genie\u00a0package showed 6,744 weekly downloads, and\u00a0the fake pgserve\u00a0package showed about 1,300 weekly downloads.<\/p>\n

The phony versions of automagik were versions 4.260421.33 through 4.260421.39 when Socket posted its advisory, and additional malicious versions are still being published and identified. The full scope of affected releases, maintainers, or release-path compromise is still under investigation, the researchers said.<\/p>\n

Separately, researchers at StepSecurity also found malicious versions of pgserve<\/a> on npm, noting that the compromised versions (1.1.11, 1.1.12 and 1.1.13) inject a 1,143-line credential-harvesting script that runs via postinstall every time it is installed.<\/p>\n

The last legitimate release of pgserve is\u00a0v1.1.10, according to StepSecurity.<\/p>\n

StepSecurity said that, unlike simple infostealers, this malware is a supply-chain worm: If it finds an npm publish token on the victim machine, it re-injects itself into every package that token can publish, further propagating the compromise. Stolen data is encrypted and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister, a blockchain-hosted compute endpoint chosen specifically because it cannot be taken down by law enforcement or domain seizure.<\/p>\n

Yet another supply chain attack<\/h2>\n

This is just the latest example of a software supply chain attack, in which threat actors hope that developers will download infected utilities and tools from an open source registry and use them in packages that will spread the malware widely.<\/p>\n

In one of the most recent examples, hackers last month compromised the npm account<\/a> of the lead maintainer of the Axios HTTP client library. And last summer, attackers compromised several JavaScript testing utilities<\/a> on npm.<\/p>\n

Advice to victimized developers<\/h2>\n

Developers who have downloaded the malicious versions of pgserver and automagik need to act fast, says Tanya Janca<\/a>, head of Canadian secure coding consultancy SheHacksPurple.<\/p>\n

\u201cRotate every credential you can think of, right now, before you do anything else,\u201d she said. \u201cThen harden your CI\/CD network egress controls so your build runners can only reach the domains they explicitly need. Make sure your build runners and deployment runners use separate service accounts with separate permissions. The goal is to make sure that even if a malicious package runs in your build environment, it cannot reach an attacker\u2019s infrastructure (for data and secret exfiltration) and also block it from pivoting into your deployment pipeline.\u201d<\/p>\n

To prevent being compromised by any malicious npm package, Janca said IT leaders should disable automatic postinstall script execution by default.<\/p>\n

Developers should also run this command immediately:\u00a0npm config set ignore-scripts true<\/em>. Some legitimate packages will occasionally break as a result of this, she admitted. But the goal is to create an intentional point of friction to force developers to consciously decide a script is or is not allowed to run on their machines.<\/p>\n

In addition, she said, developers need tooling that checks whether what is published to npm actually matches what is in the source repository. \u201cNot all software composition analysis tools do this,\u201d Janca said, \u201cso ask your vendor specifically whether the tool catches registry-to-repo mismatches.\u201d<\/p>\n

Finally, she advised, apply the principle of least privilege access to publishing tokens; scope them tightly, give them only the permissions they need for one specific package, and rotate them regularly \u2014 automatically, not manually.<\/p>\n

More than just credential theft<\/h2>\n

\u201cPeople tend to think of this as a credential theft incident,\u201d Janca said. \u201cIt is actually a potential complete organizational takeover, and it can unfold in stages. First, the attacker gets your secrets on install: AWS keys, GitHub tokens, SSH keys, database passwords, everything sitting in your environment or home directory. Second, if you have an npm publish token, the worm immediately uses it to inject itself into every package you can publish, which means your downstream users are now also victims. Third, those stolen cloud credentials get used to pivot into your infrastructure: spinning up resources, exfiltrating data, moving laterally across accounts. Fourth, your CI\/CD pipelines, which trust your runners and service accounts implicitly, welcomes the attackers malicious code into production.\u201d<\/p>\n

She pointed out that it often takes a long time for developers to notice attacks like this, \u201cand by that time, the attacker has potentially had access to source code, production systems, customer data, and the software your users count on.\u201d<\/p>\n

Shift in tactics<\/h2>\n

Janet Worthington<\/a>, a senior security and risk analyst at Forrester Research, said that recent attacks such as the CanisterSprawl campaign and the compromise of the Namastex.ai npm packages show a shift from threat actors toward self-propagating malware that steals credentials and uses them to automatically infect other packages.<\/p>\n

\u201cThis behavior echoes earlier outbreaks like the Shai-Hulud<\/a> worm, which spread across hundreds of packages by harvesting npm tokens and republishing trojanized versions belonging to the compromised maintainer,\u201d she said in an email.<\/p>\n

While open registry platforms like npm are introducing stronger protections around publisher accounts and tokens, these incidents highlight the fact that compromises are no longer isolated to a single malicious package, she said. Instead, they cascade quickly through a registry ecosystem and even jump to other ecosystems. \u201cEnterprises should ensure that only vetted open source and third party components are utilized by maintaining curated registries, automating SCA [software composition analysis] in pipelines and utilizing dependency firewalls to limit exposure and blast radius,\u201d said Worthington.<\/p>\n

Developers sit at the intersection of source code, cloud infrastructure, CI\/CD pipelines, and publishing credentials, Janca pointed out, so compromising one developer can mean compromising every user of every package they maintain, or even an entire organization. This attack, and several others in recent months, are also going after personal crypto wallets alongside corporate credentials. \u201cThat tells us,\u201d she said, \u201cthat attackers understand exactly the type of person they are hitting and they are optimizing for maximum yield from a single attack.\u201d<\/p>\n

This article originally appeared on InfoWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Application developers are being warned that malicious versions of pgserve, an embedded PostgreSQL server for application development, and automagik, an AI coding tool, have been dropped into the npm JavaScript registry, where they could poison developers\u2019 computers. Downloading and using these versions will lead to the theft of data, tokens, SSH keys, credentials, including those for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16128","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16128"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16128\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}