pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, malicious versions of the pgserve npm package were published, affecting versions 1.1.11, 1.1.12, and 1.1.13. The package, which provides an embedded PostgreSQL server for development, was compromised with a 1,143-line credential-harvesting script that executes during npm install via postinstall hooks. The malicious code harvests credentials and exfiltrates them to a decentralized Internet Computer Protocol (ICP) canister. This supply chain attack targets Node.js developers using pgserve for database development, potentially compromising development environments and associated credentials. The attack demonstrates sophisticated use of decentralized infrastructure for data exfiltration, making detection and takedown more challenging.