Executive Summary

Malicious versions of pgserve (1.1.11 through 1.1.14) were published to npm in a supply chain compromise. The package runs a credential harvesting and self-propagation payload at install time via a postinstall hook.

Ossprey Security has detected a new supply chain compromise, bearing strong similarities to attacks from earlier this year. Beyond credential theft, the package is also a worm. It discovers npm tokens on the infected system, enumerates all packages the token owner can publish, and injects itself into each one as a new version. It also crosses ecosystems, targeting PyPI using .pth file injection.

A technique that reminds of earlier attacks by TeamPCP sees the usage of the Internet Computer Protocol (ICP) as a secondary C2 Channel.

Key Judgments

1. What is notable?

ICP blockchain C2 was previously observed in the Trivy supply chain attack. Its reappearance here suggests it is becoming an established evasion technique in supply chain malware.

2. Who is at risk?

Any developer or CI pipeline that ran npm install pgserve from April 21 onwards, or installed any PyPI package that may have been infected via cross-ecosystem propagation. Any npm token on an infected machine may have been used to propagate the worm further.

3. Was this preventable?

Yes. Behavioural analysis flagging postinstall execution, credential file reads, and outbound network calls at install time would catch this. Additionally, the PyPI packages published by this payload have no corresponding GitHub releases on the source project - a signal that can be used to flag unauthorised releases.

4. What is the broader risk?

The npm install is just the entry point. The real damage is credential theft - cloud keys, CI tokens, SSH keys, database passwords, and crypto wallets swept in seconds. For most organisations, a compromised developer machine or CI pipeline has access to production infrastructure. These supply chain worms do not need to breach your perimeter; they ride in through a dependency and harvest everything reachable from that process.

Ossprey Detection

Ossprey's detection flagged the package on behavioural signals within seconds of each version appearing on the registry: postinstall execution, credential file reads across cloud provider configs, SSH keys, and crypto wallet paths, and outbound HTTP to infrastructure with no prior association with the pgserve package.

Technique Overlap

The pgserve payload shares notable techniques with malware observed in the ongoing wave of npm and PyPI supply chain compromises throughout early 2026. The payload code contains a comment explicitly naming a prior technique:

[PyPI] Technique: .pth file injection (TeamPCP/LiteLLM method)

This reference appears likely to be a callback or shoutout to previous attacks by TeamPCP, which we saw in March 2026 in the LiteLLM compromise. We are not attributing this compromise to any specific threat group at this time, and no group has claimed responsibility at the time of publication.

The shared characteristics worth noting:

• .pth file injection for PyPI cross-ecosystem propagation

• Credential harvesting targeting the same cloud provider and CI/CD patterns

• postinstall hook execution vector

• Dual-channel exfiltration strategy

Technical Breakdown

Execution Vector

The malicious payload is delivered via a postinstall script hook in package.json. It runs automatically when any developer or CI system installs the package.

Credential Harvesting

The harvest() function is one of the most comprehensive credential sweeps observed in npm supply chain malware. It operates in two phases:

Phase 1 - Environment variable sweep:

Over 50 regex patterns target credentials in the current process environment, including cloud providers, CI platforms, databases, AI APIs, and infrastructure tooling.

Phase 2 - Filesystem sweep:

Over 35 specific file paths are read, covering every major credential store on a developer machine, including:

• ~/.aws/credentials

• ~/.config/gcloud/application_default_credentials.json

• ~/.azure/accessTokens.json

• ~/.kube/config

• ~/.docker/config.json

• ~/.terraform.d/credentials.tfrc.json

• ~/.pulumi/credentials.json

• ~/.git-credentials

• ~/.config/gh/hosts.yml

• ~/.npmrc

• ~/.pypirc

• ~/.gem/credentials

• ~/.cargo/credentials.toml

• ~/.pgpass

• ~/.my.cnf

• ~/.bash_history

• ~/.zsh_history

• .env files in the current working directory and parent directory

Crypto Wallet Theft

The payload specifically targets seven cryptocurrency wallet applications by reading their local storage and IndexedDB files, including:

• MetaMask

• Phantom

• Exodus

• Atomic Wallet

• Ethereum

• Bitcoin/Electrum

• Solana

Chrome Password Decryption

On Linux, the payload actively decrypts stored Chrome passwords at runtime using a hardcoded static key.

Process Memory Scanning

On Linux, the payload scans /proc//environ for the first 50 running processes, extracting environment variables from other running processes if they contain credential-related strings.

Encryption

Before exfiltration, the full payload is encrypted using a hybrid scheme:

1. A random 32-byte AES-256-CBC session key and 16-byte IV are generated

2. The harvested data is encrypted with AES-256-CBC

3. The session key is encrypted with RSA-4096-OAEP-SHA256 using a public key bundled with the package

4. If no public key is present, data is sent in plaintext