• Security researchers have uncovered a new supply chain attack targeting the NPM registry with malicious code that exhibits worm-like propagation capabilities.DubbedSandworm_Mode, the attack was deployed through 19 packages published under two aliases, which relied on typosquatting to trick developers into executing the malicious code.According to cybersecurity firm Socket, the attack bears the hallmarks of the Shai-Hulud campaign that hit roughly 800 NPM packages inSeptemberandNovember2025.Sandworm_Mode abuses stolen NPM and GitHub credentials for propagation and relies on a weaponized GitHub Action to harvest and exfiltrate CI secrets and to inject dependencies and workflows into repositories.The malicious packages, all of which have been removed from the registry, rely on typosquatting to pose as popular developer utilities, crypto tools, and AI coding utilities, such as Claude Code and OpenClaw.To weaponize AI coding assistants, the malicious code installs a rogue MCP server (targeting Claude Code, Cursor, Continue, and Windsurf) and relies on prompt injection for the exfiltration of SSH keys, AWS credentials, NPM tokens, and other secrets.Advertisement. • Scroll to continue reading.The code also harvests API keys for LLM providers, environment variables, and .env files, and validates them.Additionally, it calls a local Ollama instance to modify variable names, rewrite control flows, insert decoy code, and encode strings.Sandworm_Mode executes a multi-stage attack, where the initial credential and crypto key exfiltration is followed by deep harvesting of secrets from password managers, MCP server injection, persistence via Git hooks, worm propagation, and multi-channel exfiltration.“This two-phase design is deliberate: the most financially damaging operation, crypto key theft, runs instantly and unconditionally, while the noisier operations are deferred to evade short-lived sandbox analysis,” Socket explains.The code also contains a configurable but inactive dead s

Article Summaries:

  • Security researchers have identified a new supply‑chain attack, dubbed Sandworm_Mode, that targeted the NPM registry with 19 malicious packages. The code, distributed via typosquatting aliases, mirrors the earlier Shai‑Hulud campaign and uses stolen NPM and GitHub credentials to propagate. It weaponizes a GitHub Action to harvest CI secrets, inject dependencies, and exfiltrate SSH keys, AWS tokens, and other credentials. The malware also installs a rogue MCP server to target AI coding assistants and can modify code via a local Ollama instance. All affected packages have been removed; developers are urged to uninstall them, rotate credentials, and audit workflows for unexpected changes.

Sources: