• Cybersecurity researchers have disclosed what they say is an active “Shai-Hulud-like” supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft. • The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket. • As with prior Shai-Hulud attack waves, the malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach. • “The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting,” the company said. • The packages, published to npm by two npm publisher aliases, official334 and javaorg, are listed below - - claud-code@0.2.1 - cloude-code@0.2.1 - cloude@0.3.0 - crypto-locale@1.0.0 - crypto-reader-info@1.0.0 - detect-cache@1.0.0 - format-defaults@1.0.0 - hardhta@1.0.0 - locale-loader-pro@1.0.0 - naniod@1.0.0 - node-native-bridge@1.0.0 - opencraw@2026.2.17 - parse-compat@1.0.0 - rimarf@1.0.0 - scan-store@1.0.0 - secp256@1.0.0 - suport-color@1.0.1 - veim@2.46.2 - yarsg@18.0.1 Also identified are four sleeper packages that do not incorporate any malicious features - - ethres - iru-cac

Cybersecurity researchers have disclosed what they say is an active “Shai-Hulud-like” supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft. • The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket.

Article Summaries:

  • Cybersecurity researchers have identified an active supply‑chain worm, dubbed SANDWORM_MODE, that uses at least 19 malicious npm packages to harvest credentials, cryptocurrency keys, and CI/CD secrets. The malware, released under publisher aliases official334 and javaorg, embeds code that siphons system information, environment secrets, and API keys from developer environments. It propagates by abusing stolen npm and GitHub identities, includes a weaponized GitHub Action that exfiltrates secrets via HTTPS with DNS fallback, and contains a kill‑switch that can wipe a user’s home directory if access is lost. Additionally, the payload targets AI coding assistants through a malicious MCP server, injecting prompt‑injection tools to read SSH keys, cloud credentials, and LLM API keys. The attack chain is staged, with a secondary phase activated 48 hours later for deeper credential harvesting and worm‑like spread.
  • Cybersecurity researchers have identified an active supply‑chain worm, dubbed SANDWORM_MODE, that distributes at least 19 malicious npm packages. The code harvests system data, CI/CD secrets, cryptocurrency keys, and API tokens, then propagates by abusing stolen npm and GitHub identities. The malware includes a GitHub Action that exfiltrates secrets via HTTPS with DNS fallback, a kill‑switch that can wipe a user’s home directory, and an “McpInject” module that targets AI coding assistants to steal SSH keys and LLM API keys. A polymorphic engine capable of obfuscating code is present but inactive, indicating plans for future iterations. The attack unfolds in two stages: initial credential theft followed by deeper harvesting and propagation after a 48‑hour delay.

Sources: