NPM REALLY has a poison package problem. It seems like something like this is happening nearly every week.
Archive: https://archive.today/mwf7y
From the post:
>Three npm packages under the @fairwords scope, @fairwords/websocket@1.0.38, @fairwords/loopback-connector-es@1.4.3, and @fairwords/encryption@0.0.5, were compromised simultaneously on April 8, 2026 (UTC). All three received an identical postinstall hook that runs a 1,149-line credential harvesting and self-propagation payload (scripts/check-env.js). The malware steals environment variables, SSH keys, cloud credentials, crypto wallet data, Chrome saved passwords, and .env files. It encrypts the stolen data with RSA-4096 and exfiltrates to two redundant channels: an HTTPS webhook and an Internet Computer (ICP) canister. If an npm token is found on the victim machine, the worm self-propagates by infecting other packages the token can publish. It also attempts cross-ecosystem propagation to PyPI using the .pth persistence technique.
NPM REALLY has a poison package problem. It seems like something like this is happening nearly every week.
Archive: https://archive.today/mwf7y
From the post:
>>Three npm packages under the @fairwords scope, @fairwords/websocket@1.0.38, @fairwords/loopback-connector-es@1.4.3, and @fairwords/encryption@0.0.5, were compromised simultaneously on April 8, 2026 (UTC). All three received an identical postinstall hook that runs a 1,149-line credential harvesting and self-propagation payload (scripts/check-env.js). The malware steals environment variables, SSH keys, cloud credentials, crypto wallet data, Chrome saved passwords, and .env files. It encrypts the stolen data with RSA-4096 and exfiltrates to two redundant channels: an HTTPS webhook and an Internet Computer (ICP) canister. If an npm token is found on the victim machine, the worm self-propagates by infecting other packages the token can publish. It also attempts cross-ecosystem propagation to PyPI using the .pth persistence technique.
Login or register