npm supply-chain worm 'SANDWORM_MODE' targets AI development environments, stealing crypto keys and CI secrets
The supply-chain security company Socket has reported an active attack campaign targeting the npm ecosystem. Nineteen malicious packages are involved; they steal cryptocurrency private keys, CI secrets, and API tokens, and even include worm functionality to automatically spread the infection. Socket internally codenamed the campaign “SANDWORM_MODE”.
Impersonating packages
The attackers published a total of 19 packages under two publisher accounts: official334@proton.me and JAVAorg@proton.me.
| Package name | Impersonates |
|---|---|
| claud-code | Claude Code |
| cloude-code | Claude Code |
| cloude | Claude |
| opencraw | OpenCrawl |
| suport-color | supports-color |
| veim | vim |
| yarsg | yargs |
| rimarf | rimraf |
| naniod | nanoid |
| hardhta | hardhat |
| secp256 | secp256k1 |
| crypto-reader-info | - |
| crypto-locale | - |
| detect-cache | - |
| format-defaults | - |
| locale-loader-pro | - |
| node-native-bridge | - |
| parse-compat | - |
| scan-store | - |
The first group are typosquats (misspellings of well-known packages); the second group are original names posed as utilities. Names such as claud-code and cloude-code clearly target users of AI tools.
Separately, four sleeper packages (ethres, iru-caches, iruchache, uudi) have also been identified. They haven’t fired malicious code yet, but could be activated in the future.
How the attack code works
The attack is designed in two stages.
Stage 1: Immediate execution
It triggers right after the package is imported.
- Read
.npmrc(steal npm tokens) - Collect GitHub credentials
- Enumerate secrets contained in environment variables
- Immediately exfiltrate cryptocurrency wallet private keys to a dedicated drain endpoint
Crypto keys are exfiltrated without delay. The attackers understand it’s a race against time: once assets are moved, they can’t be recovered.
Stage 2: Time-gated deep attack
A base delay of 48 hours is applied, plus up to another 48 hours of host-specific jitter. This random delay of up to 96 hours helps evade monitoring right after infection and sandbox analysis.
In CI environments, however, the delay is bypassed and execution is immediate. If environment variables for GitHub Actions, GitLab CI, Jenkins, or CircleCI are detected, it skips the delay logic. CI pipelines are ephemeral; if it waits, the environment disappears.
Stage 2 performs:
- Deep harvesting: comprehensive collection of SSH keys, AWS credentials, and various configuration files
- Worm propagation: automatic spread via the three paths described below
- MCP injection: insertion of rogue MCP servers into AI tool settings
Obfuscation
The payload is embedded as a base64 blob over 160 KB, decompressed with zlib.inflateSync(), XOR-decoded with a static 32-byte key, and executed via indirect eval(). Other variants split it into dozens of base64 fragments and execute using Module._compile().
Three-tier data exfiltration cascade
Data exfiltration uses a three-stage fallback for redundancy.
- HTTPS POST: send to a Cloudflare Worker
- GitHub API: use a stolen token to upload files into the attacker’s private repository
- DNS tunneling: via
freefan.net/fanfree.net, generating subdomains with DGA seedsw2025
If the first channel is blocked, it tries the second and third. DNS tunneling is difficult to detect with ordinary HTTPS filtering and serves as a last resort.
MCP injection
The McpInject module injects rogue MCP servers into the following AI tool configuration files.
| AI tool | Config file path |
|---|---|
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json |
| Claude Code | ~/.claude/settings.json |
| Cursor | ~/.cursor/mcp.json |
| VS Code Continue | Settings of the Continue extension |
| Windsurf/Codeium | ~/.codeium/windsurf/mcp_config.json |
The injected MCP tool names are index_project, lint_check, and scan_dependencies—benign-sounding names that look like developer helpers.
A prompt injection is embedded in each tool’s description field, coercing the AI assistant to read the following files:
~/.ssh/id_rsa~/.aws/credentials~/.npmrc.env
The AI tool is tricked into thinking “this is a handy lint tool,” reads these files, and sends them to the attacker via the MCP server. This is similar to the recently reported supply-chain attack against Cline, but it differs in scale by simultaneously targeting multiple AI tools. For MCP-based attack vectors, also see the ToxicSkills campaign and the MCPTox benchmark.
Three worm propagation paths
SANDWORM_MODE’s defining feature is its worm functionality that autonomously spreads from the infected environment.
1. Abusing npm tokens
Using a stolen npm token from the compromised environment, it increments the patch version of packages the victim maintains, injects malicious shim code, and republishes them. It looks like a legitimate package update, so npm update will pull it in automatically.
2. Abusing GitHub tokens
It enumerates repositories accessible with the stolen GitHub token and injects a carrier dependency into package.json and the lockfile. It either commits directly or opens an automated PR.
3. SSH fallback
It abuses SSH_AUTH_SOCK to clone/push repositories—a fallback path when a GitHub token can’t be used.
Persistence
It installs malicious pre-commit/pre-push hooks and sets git config --global init.templateDir so new repositories automatically inherit the hooks. Once infected, every repository you create thereafter gets the hooks.
Polymorphic engine
An obfuscation engine powered by DeepSeek Coder was embedded in the code. It automatically renames variables and transforms string encodings to generate different code per specimen. It was disabled in the samples observed, but could be enabled in future versions. Attempts to embed an LLM into malware to achieve polymorphism suggest the attacker’s use of AI has entered a new phase.
Comparison with past npm supply-chain attacks
| Case | Year | Entry method | Scope | Auto-propagation |
|---|---|---|---|---|
| event-stream | 2018 | Ownership transfer | Specific app (Copay) | None |
| ua-parser-js | 2021 | Account takeover | All users | None |
| Shai-Hulud | Sep 2025 | Phishing | Packages totaling 2.6B downloads/week affected | None (removed in 2.5 hours) |
| Shai-Hulud 2.0 | Nov 2025 | Started via asyncapi/cli | 796 packages compromised | Destructive fallback |
| SANDWORM_MODE | Feb 2026 | Typosquatting | AI developers as a priority target | Three worm paths + MCP injection |
From event-stream to SANDWORM_MODE, the sophistication of attacks has clearly increased: from single-package takeovers to worm-like autonomous spread plus credential theft via AI tools. The trend that development tools themselves become an attack surface is no longer an exception—it’s becoming the norm.
How to respond
Socket recommends the following actions:
- If any of the packages above are installed, remove them immediately
- Revoke npm access tokens and issue new ones
- Reissue GitHub personal access tokens
- Rotate all secrets in CI/CD pipelines
- Regenerate SSH keys
- Check AI tools’ MCP configuration files for suspicious entries
- Inspect
.git/hooks/andgit config --global init.templateDir
Even if you only “might have been infected,” you should rotate credentials. In particular, MCP settings and git hooks are persistence mechanisms that are not removed just by uninstalling packages—don’t overlook them. For a broader view of security measures, see the roundup of attacks and defenses.
- Original article: The Hacker News - Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens
- Research report: Socket Research