If your software development teams or build pipelines installed any of the confirmed infected packages, your organization's code-signing and publish credentials may already be in the hands of an unknown threat actor — meaning malicious code could be injected into your own software products and distributed to your customers before you detect it. A downstream customer compromise originating from your published packages creates direct liability exposure, potential regulatory notification obligations if customer data is involved, and significant reputational damage. The self-replicating nature of this worm means delayed response directly increases the number of affected packages and the scope of credential theft.
You Are Affected If
Your development environment or CI/CD pipeline installed any of the following npm packages: @automagik/genie, pgserve, @fairwords/websocket, @fairwords/loopback-connector-es, @openwebconcept/theme-owc, @openwebconcept/design-tokens, or any other Namastex Labs-scoped package after April 21, 2026
Your CI/CD pipeline stores npm publish tokens or PyPI API keys as environment variables accessible during the build process
Your developers use Chrome or Firefox with MetaMask, Exodus, Atomic Wallet, or Phantom browser extensions installed on machines where npm installs are performed
Your organization publishes packages to npm or PyPI and uses shared or long-lived publish tokens rather than granular, scoped, short-lived tokens
Your build environments do not enforce package integrity verification (lockfile hash pinning, software composition analysis) before installing dependencies
Board Talking Points
A self-spreading worm in the npm software supply chain has compromised at least 16 developer packages and is actively stealing the credentials developers use to publish software, meaning it can inject malicious code into our own products if our teams are affected.
Security and engineering teams should audit all development and build environments for exposure within 24 hours and rotate all affected credentials immediately.
If we do not act quickly, the worm can use our own publishing credentials to distribute compromised software to our customers, creating liability, regulatory, and reputational consequences that are significantly harder to contain after the fact.
SOC 2 — compromise of CI/CD pipeline secrets and software build integrity directly implicates change management and logical access controls assessed under SOC 2 Type II
PCI-DSS — if any affected build pipeline produces or deploys software that handles payment card data, the integrity of that software artifact is in scope under PCI-DSS Requirement 6 (secure development) and Requirement 12.3 (supply chain risk)
