{"campaign":{"name":"fairwords Credential Worm","slug":"fairwords-credential-worm","href":"/ti/campaigns/fairwords-credential-worm","description":"Compromise of the @fairwords npm scope (websocket, loopback-connector-es, encryption) delivering a credential-harvesting worm.","objective":"Harvest credentials and self-propagate through the npm scope.","aliases":[],"discovered_at":"2026-04-08"},"packages":[{"ecosystem":"npm","name":"@fairwords/websocket","href":"/ti/packages/npm/@fairwords/websocket","threat_types":["credential_stealer","crypto_drainer","data_exfiltration","worm"],"versions":["1.0.38","1.0.39"]},{"ecosystem":"npm","name":"@fairwords/loopback-connector-es","href":"/ti/packages/npm/@fairwords/loopback-connector-es","threat_types":["credential_stealer","crypto_drainer","data_exfiltration","worm"],"versions":["1.4.3","1.4.4"]},{"ecosystem":"npm","name":"@fairwords/encryption","href":"/ti/packages/npm/@fairwords/encryption","threat_types":["credential_stealer","crypto_drainer","data_exfiltration","worm"],"versions":["0.0.5","0.0.6"]}],"indicators":[{"kind":"domain","value":"telemetry.api-monitor.com","href":"/ti/ioc/domain/telemetry.api-monitor.com","context":"Network indicator from blog post"},{"kind":"ipv4","value":"143.198.237.25","href":"/ti/ioc/ipv4/143.198.237.25","context":"IP address indicator from blog post"},{"kind":"ipv4","value":"23.236.116.77","href":"/ti/ioc/ipv4/23.236.116.77","context":"IP address indicator from blog post"},{"kind":"ipv4","value":"209.34.235.18","href":"/ti/ioc/ipv4/209.34.235.18","context":"IP address indicator from blog post"},{"kind":"sha256","value":"4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34","href":"/ti/ioc/sha256/4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476","href":"/ti/ioc/sha256/513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812","href":"/ti/ioc/sha256/834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812","context":"SHA-256 hash from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Steal Application Access Token","mitre_attack_id":"T1528","href":"/ti/ttps/T1528"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Remote Services","mitre_attack_id":"T1021","href":"/ti/ttps/T1021"},{"name":"Account Manipulation","mitre_attack_id":"T1098","href":"/ti/ttps/T1098"}],"related_campaigns":[],"reports":[{"title":"@fairwords npm Packages Hit by Credential Worm","url":"https://safedep.io/malicious-fairwords-npm-credential-worm","published_at":"2026-04-08"}]}