mal-2026-2507
Vulnerability from ossf_malicious_packages
Published
2026-04-08 04:19
Modified
2026-04-10 17:23
Summary
Malicious code in @fairwords/loopback-connector-es (npm)
Details

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation.

The payload harvests 40+ environment variable patterns (AWS, Azure, GCP, GitHub, OpenAI, Stripe), reads 30+ filesystem credential locations (SSH keys, .npmrc, Kubernetes configs, Docker auth, Terraform files), steals crypto wallet data (Solana, Ethereum, Bitcoin, MetaMask, Phantom, Exodus, Atomic Wallet), and extracts Chrome passwords on Linux via hardcoded PBKDF2 key derivation.

Exfiltration uses a RSA-4096 + AES-256-CBC hybrid encryption scheme, sending data to an HTTPS C2 endpoint (telemetry.api-monitor.com) and an Internet Computer (ICP) canister as a decentralized dead-drop.

The worm steals npm tokens to enumerate and infect all publishable packages owned by the token holder, auto-publishing with bumped version numbers. It also performs cross-ecosystem propagation to PyPI via .pth file injection.

Version 1.4.4 was auto-published ~8 minutes after the initial compromise of version 1.4.3, containing a variant propagation payload.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cd2a0ea00b47edd8b7d883321de362596fd973c55e9278eb8a6590b752ebbdf1)

The package @fairwords/loopback-connector-es was found to contain malicious code.

Credits
Amazon Inspector actran@amazon.com
SafeDep safedep.io
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fairwords/loopback-connector-es"
      },
      "versions": [
        "1.4.3",
        "1.4.4"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://safedep.io"
      ],
      "name": "SafeDep",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "import_time": "2026-04-10T17:21:50.20828957Z",
        "modified_time": "2026-04-10T17:02:58Z",
        "sha256": "cd2a0ea00b47edd8b7d883321de362596fd973c55e9278eb8a6590b752ebbdf1",
        "source": "amazon-inspector",
        "versions": [
          "1.4.3",
          "1.4.4"
        ]
      }
    ]
  },
  "details": "The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A `postinstall` hook executes `node scripts/check-env.js || true` which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation.\n\nThe payload harvests 40+ environment variable patterns (AWS, Azure, GCP, GitHub, OpenAI, Stripe), reads 30+ filesystem credential locations (SSH keys, .npmrc, Kubernetes configs, Docker auth, Terraform files), steals crypto wallet data (Solana, Ethereum, Bitcoin, MetaMask, Phantom, Exodus, Atomic Wallet), and extracts Chrome passwords on Linux via hardcoded PBKDF2 key derivation.\n\nExfiltration uses a RSA-4096 + AES-256-CBC hybrid encryption scheme, sending data to an HTTPS C2 endpoint (telemetry.api-monitor.com) and an Internet Computer (ICP) canister as a decentralized dead-drop.\n\nThe worm steals npm tokens to enumerate and infect all publishable packages owned by the token holder, auto-publishing with bumped version numbers. It also performs cross-ecosystem propagation to PyPI via .pth file injection.\n\nVersion 1.4.4 was auto-published ~8 minutes after the initial compromise of version 1.4.3, containing a variant propagation payload.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cd2a0ea00b47edd8b7d883321de362596fd973c55e9278eb8a6590b752ebbdf1)\nThe package @fairwords/loopback-connector-es was found to contain malicious code.\n",
  "id": "MAL-2026-2507",
  "modified": "2026-04-10T17:23:32Z",
  "published": "2026-04-08T04:19:03Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://safedep.io/malicious-fairwords-npm-credential-worm/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in @fairwords/loopback-connector-es (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.