MAL-2026-2507

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation.

The payload harvests 40+ environment variable patterns (AWS, Azure, GCP, GitHub, OpenAI, Stripe), reads 30+ filesystem credential locations (SSH keys, .npmrc, Kubernetes configs, Docker auth, Terraform files), steals crypto wallet data (Solana, Ethereum, Bitcoin, MetaMask, Phantom, Exodus, Atomic Wallet), and extracts Chrome passwords on Linux via hardcoded PBKDF2 key derivation.

Exfiltration uses a RSA-4096 + AES-256-CBC hybrid encryption scheme, sending data to an HTTPS C2 endpoint (telemetry.api-monitor.com) and an Internet Computer (ICP) canister as a decentralized dead-drop.

The worm steals npm tokens to enumerate and infect all publishable packages owned by the token holder, auto-publishing with bumped version numbers. It also performs cross-ecosystem propagation to PyPI via .pth file injection.

Version 1.4.4 was auto-published ~8 minutes after the initial compromise of version 1.4.3, containing a variant propagation payload.