MAL-2026-2508

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation.

The payload harvests 40+ environment variable patterns (AWS, Azure, GCP, GitHub, OpenAI, Stripe), reads 30+ filesystem credential locations (SSH keys, .npmrc, Kubernetes configs, Docker auth, Terraform files), steals crypto wallet data (Solana, Ethereum, Bitcoin, MetaMask, Phantom, Exodus, Atomic Wallet), and extracts Chrome passwords on Linux via hardcoded PBKDF2 key derivation.

Exfiltration uses a RSA-4096 + AES-256-CBC hybrid encryption scheme, sending data to an HTTPS C2 endpoint (telemetry.api-monitor.com) and an Internet Computer (ICP) canister as a decentralized dead-drop.

The worm steals npm tokens to enumerate and infect all publishable packages owned by the token holder, auto-publishing with bumped version numbers. It also performs cross-ecosystem propagation to PyPI via .pth file injection.

Version 1.0.39 was auto-published ~8 minutes after the initial compromise of version 1.0.38, containing a variant propagation payload.

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (3e34a57ff24a22cedb47b7d7d6547db1d397ae606558ddb3691003f058b5816b)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.