fairwords Credential Worm
Compromise of the @fairwords npm scope (websocket, loopback-connector-es, encryption) delivering a credential-harvesting worm.
discovered 2026-04-08
Objective
Harvest credentials and self-propagate through the npm scope.
Packages
Indicators
- domaintelemetry.api-monitor.comcommunicates-with
- ipv4143.198.237.25communicates-with
- ipv423.236.116.77communicates-with
- ipv4209.34.235.18communicates-with
- sha2564dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34indicates
- sha256513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476indicates
- sha256834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812indicates
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1552.004 Unsecured Credentials: Private Keysuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1021 Remote Servicesuses
- ttpT1098 Account Manipulationuses
