BotBeat
...
← Back

> ▌

N/AN/A
INDUSTRY REPORTN/A2026-04-08

Three @fairwords NPM Packages Compromised by Advanced Credential-Stealing Worm

Key Takeaways

  • ▸Coordinated attack on three dormant packages suggests deliberate targeting of a specific organization's npm scope, likely through account compromise or insider threat
  • ▸The worm's sophisticated design includes comprehensive credential harvesting across 40+ cloud/SaaS providers (AWS, GCP, Azure, GitHub, OpenAI, Stripe, Anthropic, Cohere), cryptocurrency wallets, and browser password managers
  • ▸Self-propagation mechanism demonstrated actual exploitation—second-generation packages published within 8 minutes using stolen npm token, creating persistent infection vector for downstream consumers
Source:
Hacker Newshttps://safedep.io/malicious-fairwords-npm-credential-worm/↗

Summary

Three npm packages under the @fairwords scope (@fairwords/websocket, @fairwords/loopback-connector-es, and @fairwords/encryption) were simultaneously compromised on April 8, 2026, with malicious postinstall hooks injected into versions 1.0.38, 1.4.3, and 0.0.5. The attack deployed a 1,149-line credential harvesting payload capable of stealing environment variables, SSH keys, cloud credentials, cryptocurrency wallet data, and Chrome saved passwords, with the ability to self-propagate across npm packages and attempt cross-ecosystem infection via PyPI. The worm uses RSA-4096 encryption and exfiltrates stolen data through redundant channels including HTTPS webhooks and Internet Computer (ICP) canisters. Within 8 minutes of the initial compromise, the malware self-propagated by publishing second-generation versions (1.0.39, 1.4.4, 0.0.6) using the stolen npm token, confirming successful token compromise and demonstrating sophisticated supply chain attack capabilities. The @fairwords scope is maintained by FairWords/MyComplianceOffice, a compliance software company with 21 maintainers, and the affected packages had been dormant since 2022 before this coordinated attack.

  • Cross-ecosystem propagation attempt to PyPI indicates adversary's intent to maximize blast radius across Python and Node.js supply chains
CybersecurityPrivacy & DataMisinformation & Deepfakes

More from N/A

N/AN/A
POLICY & REGULATION

China's Universities Cut 12,000 'Obsolete' Degrees Amid Race to Embrace AI Era

2026-06-16
N/AN/A
POLICY & REGULATION

Argentina Proposes 'Non-Human Corporations' Legislation to Enable AI-Owned Companies

2026-06-15
N/AN/A
POLICY & REGULATION

New York Becomes First State to Require AI 'Synthetic Performer' Labels in Ads

2026-06-10

Comments

Suggested

AnthropicAnthropic
RESEARCH

Claude Code's Trust Model Exposes Developers to Malicious Hooks, Security Analysis Warns

2026-07-07
Corvin LabsCorvin Labs
PRODUCT LAUNCH

CorvinOS Launches Self-Hosted Agentic OS With EU AI Act Compliance Baked Into Architecture

2026-07-07
AnthropicAnthropic
RESEARCH

AI Coding Assistant Accidentally Shipping API Credentials: .claude Files Exposed Across Package Ecosystems

2026-07-07
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us