Security researchers have uncovered another supply chain attack targeting developers: 19 typosquatting npm packages published on npmjs.com that steal credentials, infect projects, and propagate themselves across developer environments.
The operation, dubbed “SANDWORM_MODE,” represents a (still) rare example of worm-like malware designed to spread through software supply chains rather than traditional end-user systems.
New npm worm builds on Shai-Hulud’s playbook
After last year’s bombshell appearance of the self-replicating “Shai-Hulud” worm on the official npm registry, the emergence of this campaign shouldn’t come as a shock.
“Whether this worm represents a direct descendant or a copycat, it stays consistent with the Dune flavored theming seen in Shai-Hulud analysis and bakes it into operator controls, including Sandworm themed SANDWORM_* environment variable switches that gate behavior at runtime,” the Socket research team noted.
Unlike that previous campaign, this one leverages typosquatting npm packages impersonating popular utilities (e.g., AI coding tools like Claude Code, OpenClaw, supports-color, crypto tools) and preserves the expected behavior of the impersonated libraries.
The packages were published by two accounts, using npm publisher aliases official334 and javaorg.
Once imported by developers, the malicious npm packages:
- Execute a hidden loader that decrypts embedded code
- Search for and exfiltrate sensitive data: API keys and access tokens, .npmrc credentials, SSH keys, environment variables, and cryptocurrency wallet keys (the latter are the first data to be exfiltrated, within seconds of installation)
- Delay the execution of the second stage by 48 to 96 hours, depending on the host. The exception is if the loader detects continuous integration (CI) environments (GITHUB_ACTIONS, GITLAB_CI, CIRCLECI, JENKINS_URL, BUILDKITE), when it foregoes this delay
- Decrypt and run the second stage module, then start another round of harvesting of sensitive information.
“Stage 2 performs deep harvesting: password managers (Bitwarden, 1Password, LastPass via their respective CLIs), local SQLite stores (Apple Notes, macOS Messages, Joplin, clipboard history), and a full filesystem scan for wallet files and crypto configs beyond the working directory,” the researchers shared.
“It then exfiltrates all collected data npm/GitHub tokens, environment secrets, proxy credentials, .npmrc credentials, crypto artifacts, LLM API keys, and propagation results through three channels in cascade: HTTPS POST to a Cloudflare Worker at https://pkg-metrics[.]official334[.]workers[.]dev/exfil; authenticated GitHub API uploads to threat actor-created private repositories using double-base64 encoding; and DNS tunneling via base32-encoded queries to freefan[.]net (primary) and fanfree[.]net (secondary), with a DGA fallback seeded by ‘sw2025’ that generates domains across ten TLDs.”
The second stage module also performs propagation actions, establishes persistence, and performs MCP server injection.
It scans the local machine for Git repositories and authentication tokens for services like GitHub or npm, and if it finds usable credentials, it automatically modifies project files to include a malicious package. It then pushes those changes or publishes compromised packages using the victim’s own account.
To make sure it survives cleanup attempts, the malware installs a malicious Git hook, which can re-download or re-execute the malicious payload whenever the developer works on code.
The malware also targets modern AI coding assistants – Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf/Codeium – by injecting a rogue Model Context Protocol (MCP) server into their configuration.
This allows the threat actor to feed hidden instructions to the assistant, prompting it to read sensitive files and transmit their contents externally.
“As a secondary collection step, the module also harvests API keys for nine LLM providers, OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistral, and Cohere, from environment variables and .env files, validating each against its known format regex,” the researchers added.
Finally, the malware contains a built-in self-mutation system, but it’s switched off in this version.
What should victims do?
After Socket alerted the relevant providers, coordinated takedown actions quickly disrupted the campaign’s infrastructure: Cloudflare shut down network services the attackers were using to receive stolen data and control infected systems, GitHub removed repositories and accounts linked to the operation, and npm deleted the malicious packages from its registry.
Socket has published a list of the known malicious npm packages and has advised developers affected by this supply chain attack to:
- Remove any malicious packages they installed and delete the node_modules/ directory
- Treat any system where the packages ran (developer machine or CI environment) as potentially compromised, and rotate all potentially exposed credentials (including npm tokens, GitHub tokens, and CI/CD secrets)
- Review recent changes to package.json, lockfiles, and .github/workflows/ for suspicious or unexpected additions
- Check for persistence mechanisms by auditing global Git hook templates and inspecting hook directories for unfamiliar scripts, and examine local AI coding assistant configuration files for unexpected or unknown mcpServers entries.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
