Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month. Application security vendors Socket and StepSecurity say a self-propagating CanisterWorm-style malware strain hit multiple npm packages tied to Namastex Labs, an agentic AI company. The campaign appears to target specialized developer workflows as opposed to broad consumer npm usage, with compromised packages including: @automagik/genie@4.260421.33 through 4.260421.39 pgserve@1.1.11 through 1.1.13 @fairwords/websocket@1.0.38 and 1.0.39 @fairwords/loopback-connector-es@1.4.3 and 1.4.4 @openwebconcept/design-tokens@1.0.3 @openwebconcept/theme-owc@1.0.3 Additional malicious versions are still being published and identified by the security shops, and as such the full scope of the supply chain attack remains under investigation.…