Vibe Coding
@fairwords npm Credential Worm: Self-Propagating Attack Crosses to PyPI, Steals Crypto Wallets and Chrome Passwords
On April 8, three @fairwords npm packages were compromised by an evolved CanisterWorm/TeamPCP variant. The 1,149-line payload steals npm/PyPI tokens, cloud credentials (AWS/Azure/GCP/GitHub/OpenAI/Stripe), SSH keys, crypto wallets (Solana, Ethereum, MetaMask, Phantom), and Chrome passwords via PBKDF2 decryption. If an npm token is found, the worm enumerates the victim's packages, injects itself, bumps versions, and republishes — second-generation versions appeared 8 minutes later. It also crosses to PyPI via .pth site-packages injection. Exfiltration uses RSA-4096+AES-256-CBC encryption to both HTTPS and an ICP canister dead-drop resistant to takedowns.
Source
↳ Follow the thread