@fairwords/websocket
@fairwords/websocket is identified in the SafeDep analysis "@fairwords npm Packages Hit by Credential Worm". Three @fairwords npm packages were compromised with a self-propagating worm that harvests credentials, crypto wallets, Chrome passwords, and spreads to other packages using stolen npm tokens.
discovered 2026-04-08
Threat types
credential_stealercrypto_drainerdata_exfiltrationworm
Malicious versions
- 1.0.38
- 1.0.39
Campaigns
Indicators
- domaintelemetry.api-monitor.comcommunicates-with
- ipv4143.198.237.25communicates-with
- ipv423.236.116.77communicates-with
- ipv4209.34.235.18communicates-with
- sha2564dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34indicates
- sha256513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476indicates
- sha256834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812indicates
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1552.004 Unsecured Credentials: Private Keysuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1021 Remote Servicesuses
- ttpT1098 Account Manipulationuses
