{"id":"MAL-2026-2507","summary":"Malicious code in @fairwords/loopback-connector-es (npm)","details":"The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A `postinstall` hook executes `node scripts/check-env.js || true` which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation.\n\nThe payload harvests 40+ environment variable patterns (AWS, Azure, GCP, GitHub, OpenAI, Stripe), reads 30+ filesystem credential locations (SSH keys, .npmrc, Kubernetes configs, Docker auth, Terraform files), steals crypto wallet data (Solana, Ethereum, Bitcoin, MetaMask, Phantom, Exodus, Atomic Wallet), and extracts Chrome passwords on Linux via hardcoded PBKDF2 key derivation.\n\nExfiltration uses a RSA-4096 + AES-256-CBC hybrid encryption scheme, sending data to an HTTPS C2 endpoint (telemetry.api-monitor.com) and an Internet Computer (ICP) canister as a decentralized dead-drop.\n\nThe worm steals npm tokens to enumerate and infect all publishable packages owned by the token holder, auto-publishing with bumped version numbers. It also performs cross-ecosystem propagation to PyPI via .pth file injection.\n\nVersion 1.4.4 was auto-published ~8 minutes after the initial compromise of version 1.4.3, containing a variant propagation payload.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cd2a0ea00b47edd8b7d883321de362596fd973c55e9278eb8a6590b752ebbdf1)\nThe package @fairwords/loopback-connector-es was found to contain malicious code.\n","modified":"2026-04-10T17:35:09.358292Z","published":"2026-04-08T04:19:03Z","database_specific":{"malicious-packages-origins":[{"versions":["1.4.3","1.4.4"],"source":"amazon-inspector","import_time":"2026-04-10T17:21:50.20828957Z","modified_time":"2026-04-10T17:02:58Z","sha256":"cd2a0ea00b47edd8b7d883321de362596fd973c55e9278eb8a6590b752ebbdf1"}]},"references":[{"type":"REPORT","url":"https://safedep.io/malicious-fairwords-npm-credential-worm/"}],"affected":[{"package":{"name":"@fairwords/loopback-connector-es","ecosystem":"npm","purl":"pkg:npm/%40fairwords/loopback-connector-es"},"versions":["1.4.3","1.4.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@fairwords/loopback-connector-es/MAL-2026-2507.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}