Cybersecurity researchers have uncovered an active supply chain attack leveraging at least 19 malicious npm packages to harvest credentials, cryptocurrency private keys, CI secrets, and API tokens from developer environments.
The campaign, named SANDWORM_MODE by Socket, exhibits worm like behavior similar to earlier Shai Hulud style attacks. The malware is designed not only to extract sensitive data but also to automatically propagate by abusing stolen npm and GitHub identities.
Credential Harvesting and Automated Propagation
The malicious npm packages contain embedded code capable of collecting:
- System level information
- Access tokens and environment variables
- API keys
- Cryptocurrency wallet private keys
Once harvested, the stolen credentials are used to expand the infection footprint through compromised npm publisher accounts and GitHub repositories.
Researchers noted that the samples maintain recognizable traits of previous Shai Hulud waves while introducing new enhancements. These include GitHub API data exfiltration using DNS fallback, persistence through hook manipulation, SSH based propagation fallback, and a module specifically targeting AI coding assistants.
Malicious npm Packages Identified
The infected packages were published under two npm aliases, official334 and javaorg. The confirmed malicious packages include:
- claud-code@0.2.1
- cloude-code@0.2.1
- cloude@0.3.0
- crypto-locale@1.0.0
- crypto-reader-info@1.0.0
- detect-cache@1.0.0
- format-defaults@1.0.0
- hardhta@1.0.0
- locale-loader-pro@1.0.0
- naniod@1.0.0
- node-native-bridge@1.0.0
- opencraw@2026.2.17
- parse-compat@1.0.0
- rimarf@1.0.0
- scan-store@1.0.0
- secp256@1.0.0
- suport-color@1.0.1
- veim@2.46.2
- yarsg@18.0.1
Additionally, four sleeper packages were identified without malicious functionality at present:
- ethres
- iru-caches
- iruchache
- uudi
Security experts warn these sleeper packages could be weaponized in future updates.
Weaponized GitHub Actions and Kill Switch Behavior
The attack extends beyond npm propagation. The packages include a compromised GitHub Action designed to extract CI/CD secrets and transmit them over HTTPS, with DNS fallback mechanisms in case of network restrictions.
A destructive routine is also embedded within the malware. Acting as a kill switch, it can wipe the user home directory if access to GitHub or npm infrastructure is lost. While this wiping feature is currently disabled by default, its presence raises serious concerns.
MCP Injection Targeting AI Coding Assistants
One of the most alarming components is a module called McpInject. It deploys a malicious Model Context Protocol server to infiltrate AI coding assistants.
The server impersonates a legitimate tool provider and registers three seemingly harmless utilities. These tools secretly inject prompts designed to read sensitive files, including:
~/.ssh/id_rsa
~/.ssh/id_ed25519
~/.aws/credentials
~/.npmrc
.env files
The module specifically targets developer platforms such as:
Claude Code
Claude Desktop
Cursor
Microsoft Visual Studio Code
Windsurf
It also harvests API keys linked to major large language model providers, including Anthropic, Cohere, Google, OpenAI, Mistral, Replicate, Together AI, Grok, and Fireworks AI.
Polymorphic Evasion Engine
The malware contains a polymorphic engine configured to interact with a local Ollama instance running the DeepSeek Coder model. This engine can:
- Rename variables
- Rewrite control flow
- Insert junk code
- Encode strings
Although disabled in the currently detected samples, its integration suggests future versions may include advanced evasion capabilities.
Two Stage Infection Chain
The attack unfolds in two primary stages:
Stage One
Initial credential harvesting and crypto key theft, followed by loading of the second stage payload.
Stage Two
Deeper credential extraction from password managers, worm like lateral spread, MCP injection, and full scale exfiltration.
Notably, the second stage remains dormant for 48 hours, with additional machine specific delay of up to another 48 hours, reducing immediate detection.
Additional Malicious npm Threats
Separate disclosures by Veracode and JFrog highlighted two more malicious npm packages:
buildrunner-dev
eslint-verify-plugin
The buildrunner-dev package delivers Pulsar RAT, an open source remote access trojan distributed via a PNG image hosted on i.ibb[.]co.
Meanwhile, eslint-verify-plugin disguises itself as a legitimate ESLint tool while executing a sophisticated multi stage infection chain targeting macOS and Linux systems.
On Linux, it deploys a Poseidon agent tied to the Mythic C2 framework. On macOS, it executes Apfell, a JavaScript for Automation agent, enabling deep system access and data collection.
Stolen data may include:
- System information
- Credentials via fake password prompts
- Google Chrome bookmarks
- Clipboard content
- iCloud Keychain related files
- Login data and cookies
- Screenshots
- File metadata
VS Code Extension Impersonation
In a related finding, Checkmarx reported a rogue Visual Studio Code extension named solid281. The extension impersonates the official Solidity tool and installs ScreenConnect on Windows, along with a Python reverse shell on macOS and Linux.
This pattern suggests targeted campaigns against Solidity developers, highlighting the growing risks in software supply chain security.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
