What are the affected fairwords NPM packages?

fairwords/websocket 1.0.38-1.0.39, fairwords/loopback-connector-es 1.4.3-1.4.4, fairwords/encryption 0.0.5-0.0.6.

How do I check if this worm infected my projects?

npm ls fairwords; check npm publish history; scan for IOCs from safedep.io blog.

What should I do after using compromised NPM packages?

Rotate all tokens/keys/creds immediately, revoke SSH, audit owned packages for surprise bumps.

Fairwords NPM Worm Steals Credentials, Hijacks Your Other Packages, and Jumps to PyPI

Hackers turned three obscure NPM packages into a credential-stealing monster that doesn't stop at theft—it bumps versions in your other packages and leaps to PyPI. Developers: check your tokens yesterday.

theAIcatchup Apr 08, 2026 3 min read

Terminal output showing compromised fairwords NPM package postinstall stealing credentials

⚡ Key Takeaways

The worm doesn't just steal— it uses your creds to propagate via unauthorized publishes to your other packages. 𝕏
Crosses from NPM to PyPI, signaling multi-registry supply chain threats. 𝕏
Rotate everything now: NPM tokens, cloud keys, SSH— and enable 2FA everywhere. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#credential theft #malware worm #npm security #npm security #supply chain attack

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Reddit r/programming

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Anthropic's Epic Oops: 513K Lines of Claude Code Leaked on npm, Handing Attackers the Keys

npm's a Sucker Punch — Here's Your Guard

Attackers Slip Malware into Build Config Files, Bypassing GitHub PR Reviews

NPM's Postinstall Trap: How the Axios Attack Exposed Dev Blind Spots

Stay in the loop