Chainguard customers safe from new npm worm and xinference supply chain attack
Chainguard customers are safe from today’s malware attacks that spanned both npm and PyPI, which affected 25 packages with 60K+ collective monthly downloads.
On npm, the malware originated from Namastex.ai’s Automagik suite as malicious packages carrying a credential-stealing, self-propagating worm. The following 22 libraries and versions were impacted, accounting for roughly 30K+ monthly downloads:
@automagik/genie— 8 malicious versions:4.260421.33–4.260421.40pgserve— 4 malicious versions:1.1.11through1.1.14@fairwords/websocket— 2 malicious versions:1.0.38and1.0.39@fairwords/loopback-connector-es— 2 malicious versions:1.4.3and1.4.4@openwebconcept/design-tokens— 3 malicious versions:1.0.1–1.0.3@openwebconcept/theme-owc— 3 malicious versions:1.0.1–1.0.3
On PyPI, xinference had three malicious versions (2.6.0 – 2.6.2) posted to PyPI, which were since removed. The library has ~30K downloads per month.
The tradecraft for the npm worm strongly resembles TeamPCP campaigns that began with Trivy in March: credential theft from developer environments, off-host exfiltration, ICP canister-backed infrastructure, and worm-like self-propagation. However, the canister endpoint in this attack is different from prior documented CanisterWorm incidents.
Positive attribution to TeamPCP is still pending. The xinference attack had a TeamPCP signature, but the threat group denied involvement and declared the attack a copycat.
Chainguard customers are not impacted. Chainguard Libraries builds from publicly verifiable source code and refuses to build packages that depend on install-time scripts due to their common use as an attack vector. The details:
npm attacks: Chainguard never built these 22 libraries, as the malicious packages were published to npm as pre-packaged tarballs containing install-time scripts with malware. The corresponding source code on GitHub did not contain these malicious changes.
xinferenceattack on PyPI: Chainguard never built the three credential-stealing versions ofxinference, so customers were not exposed. Chainguard currently carries 43 unaffected versions ofxinference. This attack falls into the 2% of malware cases that compromise source code directly. Chainguard is incorporating additional maintainer monitoring and malicious commit detection to address these vectors.
If you're not yet a Chainguard customer, reach out to understand how we build malware resistance into the foundation, or you can get started with Chainguard Containers and Libraries for free today.
Share this article
Articles connexes
- sécurité
2026: The year of AI-assisted attacks
Patrick Smyth, Principal Developer Relations Engineer
- sécurité
Is Grype a single point of failure for Chainguard’s CVE detection?
Alex Burrage, Director of Product Security
- sécurité
AI is finding vulnerabilities faster than anyone can patch them. Now what?
Ed Sawma, VP of Product Marketing
- sécurité
Attacks rewritten: Where malware enters the build
Manfred Moser, Sr. Principal Developer Relations Engineer, and Patrick Smyth, Principal Developer Relations Engineer
- sécurité
Your riskiest supplier isn't a vendor. It's a registry.
Cameron Martin, Manager, Solutions Engineering - APJ
- sécurité
Malicious axios versions published to npm: Chainguard customers protected
Quincy Castro, CISO