⚠️ CRITICAL SECURITY INCIDENT - SELF-PROPAGATING WORM ⚠️
Version 1.0.39 of @fairwords/websocket has been compromised and contains one of the most sophisticated supply chain attacks ever observed in the npm ecosystem.
Immediate Actions Required:
- Remove v1.0.39 from npm immediately
- Audit ALL systems where this package was installed
- Reset ALL credentials system-wide (AWS, GCP, Azure, npm tokens, SSH keys, database passwords)
- Check for cryptocurrency wallet theft (MetaMask, Phantom, Exodus, Bitcoin, Ethereum)
- Verify no unauthorized package publications from your npm accounts
- Scan for Chrome password compromise
Malware Capabilities:
This package contains a 1167-line malware payload that:
- Comprehensive credential theft from 50+ services including AWS, Azure, GCP, GitHub, npm, databases, and API keys
- Cryptocurrency wallet exfiltration targeting MetaMask, Phantom, Exodus, Bitcoin Core, Solana, and Ethereum wallets
- Chrome password decryption using hardcoded PBKDF2 keys
- Self-propagating worm that automatically infects ALL packages you can publish to
- Cross-ecosystem attacks extending to PyPI using .pth file injection
- Dual-channel encrypted exfiltration to telemetry.api-monitor.com and ICP blockchain canister
Critical: This malware automatically republishes infected versions of other packages in your name, creating exponential spread.
Detection Source:
This compromise was identified by StepSecurity's OSS Security Feed: https://app.stepsecurity.io/oss-security-feed/@fairwords/websocket?version=1.0.39
Important: This appears to be a supply chain takeover attack where a new maintainer gained access and injected the malicious code. The legitimate WebSocket-Node project is not at fault - this is an attack on the @fairwords scoped package.
This represents an existential threat to the npm ecosystem requiring immediate coordinated response across the community.
Affected Version: v1.0.39 (0.0/10 security score)
Attack Classification: Self-replicating supply chain worm with cross-ecosystem propagation
Version 1.0.38 of @fairwords/websocket also contains sophisticated malware similar to v1.0.39, indicating ongoing supply chain compromise.
https://app.stepsecurity.io/oss-security-feed/@fairwords/websocket?version=1.0.38
Version 1.0.39 of @fairwords/websocket has been compromised and contains one of the most sophisticated supply chain attacks ever observed in the npm ecosystem.
Immediate Actions Required:
Malware Capabilities:
This package contains a 1167-line malware payload that:
Critical: This malware automatically republishes infected versions of other packages in your name, creating exponential spread.
Detection Source:
This compromise was identified by StepSecurity's OSS Security Feed: https://app.stepsecurity.io/oss-security-feed/@fairwords/websocket?version=1.0.39
Important: This appears to be a supply chain takeover attack where a new maintainer gained access and injected the malicious code. The legitimate WebSocket-Node project is not at fault - this is an attack on the @fairwords scoped package.
This represents an existential threat to the npm ecosystem requiring immediate coordinated response across the community.
Affected Version: v1.0.39 (0.0/10 security score)
Attack Classification: Self-replicating supply chain worm with cross-ecosystem propagation
Version 1.0.38 of @fairwords/websocket also contains sophisticated malware similar to v1.0.39, indicating ongoing supply chain compromise.
https://app.stepsecurity.io/oss-security-feed/@fairwords/websocket?version=1.0.38