malware npm
@fairwords/encryption
discovered 2026-04-08@fairwords/encryption is identified in the SafeDep analysis "@fairwords npm Packages Hit by Credential Worm". Three @fairwords npm packages were compromised with a self-propagating worm that harvests credentials, crypto wallets, Chrome passwords, and spreads to other packages using stolen npm tokens.
Threat types
credential_stealer crypto_drainer data_exfiltration worm
Malicious versions
- 0.0.5
- 0.0.6
Campaigns
Indicators
- domain telemetry.api-monitor.comcommunicates-with
- ipv4 143.198.237.25communicates-with
- ipv4 23.236.116.77communicates-with
- ipv4 209.34.235.18communicates-with
- sha256 4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34indicates
- sha256 513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476indicates
- sha256 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812indicates
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1552.004 Unsecured Credentials: Private Keysuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1021 Remote Servicesuses
- ttp T1098 Account Manipulationuses
