Three @fairwords NPM Packages Compromised by Advanced Credential-Stealing Worm
Key Takeaways
- ▸Coordinated attack on three dormant packages suggests deliberate targeting of a specific organization's npm scope, likely through account compromise or insider threat
- ▸The worm's sophisticated design includes comprehensive credential harvesting across 40+ cloud/SaaS providers (AWS, GCP, Azure, GitHub, OpenAI, Stripe, Anthropic, Cohere), cryptocurrency wallets, and browser password managers
- ▸Self-propagation mechanism demonstrated actual exploitation—second-generation packages published within 8 minutes using stolen npm token, creating persistent infection vector for downstream consumers
Summary
Three npm packages under the @fairwords scope (@fairwords/websocket, @fairwords/loopback-connector-es, and @fairwords/encryption) were simultaneously compromised on April 8, 2026, with malicious postinstall hooks injected into versions 1.0.38, 1.4.3, and 0.0.5. The attack deployed a 1,149-line credential harvesting payload capable of stealing environment variables, SSH keys, cloud credentials, cryptocurrency wallet data, and Chrome saved passwords, with the ability to self-propagate across npm packages and attempt cross-ecosystem infection via PyPI. The worm uses RSA-4096 encryption and exfiltrates stolen data through redundant channels including HTTPS webhooks and Internet Computer (ICP) canisters. Within 8 minutes of the initial compromise, the malware self-propagated by publishing second-generation versions (1.0.39, 1.4.4, 0.0.6) using the stolen npm token, confirming successful token compromise and demonstrating sophisticated supply chain attack capabilities. The @fairwords scope is maintained by FairWords/MyComplianceOffice, a compliance software company with 21 maintainers, and the affected packages had been dormant since 2022 before this coordinated attack.
- Cross-ecosystem propagation attempt to PyPI indicates adversary's intent to maximize blast radius across Python and Node.js supply chains
