@fairwords npm packages compromised by a self-propagating credential worm - steals tokens, infects other packages you own, then crosses to PyPI
Posted by BattleRemote3157@reddit | programming | View on Reddit | 32 comments
Three @fairwords scoped npm packages were hit today by what appears to be the
TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward.
What the postinstall payload does:
- Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.)
- Reads SSH keys,
.npmrc,.kube/config, Docker auth, Terraform credentials,.git-credentials - Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet
- Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key (
"peanuts"/"saltysalt") - Scans
/proc/[pid]/environfor tokens in other running processes
Affected versions:
fairwords/websocket1.0.38 and 1.0.39fairwords/loopback-connector-es1.4.3 and 1.4.4fairwords/encryption0.0.5 and 0.0.6
If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you maintain received unexpected version bumps.
Full analysis with IOCs and payload walkthrough in the blog.
dark_mode_everything@reddit
Let me just copy paste my comment from the axios post:
"What I don't get is, why the fucking fuck do javascript packages need to run scripts after installation?"
max123246@reddit
Presumably you're going to run the code you install, right?
nelmaven@reddit
Why would a dependency run anything by itself?
max123246@reddit
Right, I forgot about transitive dependencies. Yeah, that's not great
dark_mode_everything@reddit
Yes. I'm going to run the JavaScript code from the package. Not some random shell script.
AuroraFireflash@reddit
Seriously. NPM needs to fix it so that you have to explicitly opt-in to running pre/post install scripts.
Carighan@reddit
Without running scripts, it couldn't be such a nice security disaster, could it be now?!
khsh01@reddit
I still don't understand why people love this garbage so much. There's another new vulnerability in npm every day. Nodejs is trash.
GXNXVS@reddit
same thing would happen to another package manager. nom gets hit because it’s the most popular by far.
GuyWithPants@reddit
It doesn't, though. NodeJS is the only one of the popular languages where installing a dependency for a local project allows that dependency to immediately run an arbitrary post-install on your development machine.
GXNXVS@reddit
Rust also does the same thing.
AuroraFireflash@reddit
There are others.
GuyWithPants@reddit
I guess part of the reason I didn't consider Python in this category is that all of the Python stuff I'm working with is switching to or has already switched to
uv, which doesn't support this nonsense for binary packages, though it could still run code if installing a package from source.xSaviorself@reddit
Yeah this is some silly shit, both Python and JS ecosystems are suffering this problem right now. It's not avoidable either, executing post-install scripts is a common thing especially supporting legacy software.
This is an arms race which could likely change how package management fundamentally works if it keeps propagating.
matheusmoreira@reddit
It's not the package manager, it's the fact any random idiot can sign up and push packages. Every programming language package repository is a glorified Arch Linux User Repository with exactly the same caveats and risks. The problem is everyone thinks it's as trusted as the actual official Linux distribution repositories which have actual trusted human maintainers taking responsibility for it.
khsh01@reddit
Its less about popularity and more because its a janky setup. You can only go so far by retro fitting garbage. Js is great for its intended purpose, cute little scripts to make your browser do stuff with the rendered html.
It becomes complete garbage when you strap a browser onto it and start calling it a programming language.
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
sunychoudhary@reddit
Same pattern again.
Dependency → maintainer compromise → trusted distribution → downstream impact.
The code itself isn’t the weakest point anymore, the supply chain is.
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
nelmaven@reddit
The postinstall wrecking everything again
arj-co@reddit
Can you elaborate? Again?
nelmaven@reddit
The axios npm package was also due to a script that ran post installation.
Froztnova@reddit
The last time this happened, I made the decision to migrate a nascent project I was working on away from nodejs.
Seems that it was a shrewd decision.
matheusmoreira@reddit
I made my own development virtual machine management scripts just to try and avoid nonsense like this. I hope it's enough...
wannaliveonmars@reddit
As I predicted here - https://reddit.com/r/programming/comments/1sbkx3b/someone_is_actively_publishing_malicious_packages/oe5xdhi/
programmer-ke@reddit
Probably safe to say there's many more packages yet to be exploited.
wannaliveonmars@reddit
Yep. The problem is that package maintainers run npm install too, and they them become the next "vector".
Jonno_FTW@reddit
Another day, another npm security incident.
Wheekie@reddit
Will anybody ever have a break?
BlueGoliath@reddit
Jia Tan strikes again.
ArgumentFew4432@reddit
fairwords/websocket: 13 weekly downloads…. And those are probably mirrors….
D-cyde@reddit
I'm tired boss.