@fairwords npm packages compromised by a self-propagating credential worm - steals tokens, infects other packages you own, then crosses to PyPI

Three @ fairwords scoped npm packages were hit today by what appears to be the TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward. What the postinstall payload does: Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.) Reads SSH keys, .npmrc , .kube/config , Docker auth, Terraform credentials, .git-credentials Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key ( "peanuts" / "saltysalt" ) Scans /proc/[pid]/environ for tokens in other running processes Affected versions: fairwords/websocket 1.0.38 and 1.0.39 fairwords/loopback-connector-es 1.4.3 and 1.4.4 fairwords/encryption 0.0.5 and 0.0.6 If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you main