Incident contained · Malicious versions removed from npm

Security disclosure

On April 21–22, 2026, malicious versions of two npm packages we maintain were published by a threat actor after a developer token was stolen. We detected it, contained it, and are telling you exactly what happened.

Published 2026-04-23 · Leia em português

Exposure window

~16 h

Apr 21 ~22:14 UTC → Apr 22 ~14:00 UTC

Detection to containment

<20 h

Tokens revoked, malicious versions removed

Estimated monthly base exposed

<0.5%

Conservative upper bound

What happened

A developer token was stolen by supply-chain malware and used to publish tainted versions of two packages we maintain. The malicious versions executed on install and tried to steal local credentials. If you installed an affected version between April 21 and April 22, treat the machine as potentially compromised and follow the remediation guide below.

Packages affected · clean versions

Package	Malicious versions	Clean version	npm status
@automagik/genie	4.260421.33 – 4.260421.40	4.260422.4+	Removed from registry
pgserve	1.1.11 – 1.1.14	1.1.10	Removed from registry

The malicious versions were unpublished from the npm registry and can no longer be installed. All Automagik publications from 2026-04-23 onward ship with npm --provenance attestations.

What we did

Revoked compromised credentials and reissued tokens with minimum scope and mandatory 2FA.
Deprecated and removed malicious versions from the npm registry.
Contained the incident within our internal fleet — no customer production environment was touched.
Blocked the malware's command-and-control endpoints at the perimeter.
Notified customers whose contracts require it, within contractual SLAs.

If you installed an affected version

Treat your machine as potentially compromised.

The malware executes on install and tries to steal local credentials (npm tokens, SSH keys, cloud credentials, .env files, browser passwords, crypto wallets). Rotating credentials is the only safe path forward.

Apply the security patch.

Start with the regular user command. Use the elevated command only for root-owned installations or npm caches.

npx @automagik/genie@next sec fix

sudo npx @automagik/genie@next sec fix

We published a step-by-step response manual covering identification, interpretation, remediation, and prevention. Start there:

Read the response manual genie SECURITY.md pgserve SECURITY.md

What we are changing

Signed publications — `npm --provenance` attestation on every release (effective 2026-04-23).
OIDC trusted publishing via GitHub Actions — no long-lived npm tokens anywhere.
Mandatory 2FA and manual approval for every production publish.
External penetration test brought forward from the roadmap.
Full public post-mortem within 30 days.

Acknowledgments

We are grateful to the researchers and organizations that identified and tracked this incident, making it possible for every affected team to respond quickly.

→Socket Research Team for the primary discovery and continued tracking at socket.dev/supply-chain-attacks/canistersprawl.
→Endor Labs, Kodem Security, BleepingComputer, The Register, CSO Online, GBHackers, and Cybersecurity News for the coverage, analysis, and technical breakdowns that helped defenders respond.

Thanks also to the Automagik team that ran the end-to-end response during the incident window, and to the broader open-source community whose scrutiny, tools, and unfiltered feedback keep this ecosystem healthy. We will keep earning it.

Contact

Questions, reports, or help with remediation — reach us privately. We respond within 2 business hours (UTC-3).

Data Protection Officer

Cezar Vasconcelos

dpo@namastex.ai

Security & incidents

Private channel

privacidade@namastex.ai

PGP available on request. Private security reports are encouraged via the channels above rather than public issues.

Namastex Labs Serviços em Tecnologia Ltda · CNPJ 46.156.854/0001-62

This page will be updated as our investigation concludes and our post-mortem is published. Last updated: 2026-04-23.