Three npm packages under the @fairwords scope, @fairwords/websocket@1.0.38, @fairwords/loopback-connector-es@1.4.3, and @fairwords/encryption@0.0.5, were compromised simultaneously on April 8, 2026 (UTC). All three received an identical postinstall hook that runs a 1,149-line credential harvesting and self-propagation payload