Researchers have identified a new supply chain worm campaign dubbed SANDWORM_MODE that uses 19 malicious npm packages to steal credentials and cryptocurrency keys. The malware spreads by hijacking developer identities on GitHub and npm while using advanced techniques like prompt injection to target AI coding assistants and harvest sensitive environment secrets.
Security experts at Socket have linked this active campaign to the Shai-Hulud threat family due to its self-propagating nature and focus on developer environments. The attack leverages packages published under the aliases official334 and javaorg to siphon system information, access tokens, and API keys. Unlike simpler threats, this campaign is designed to automatically extend its reach by abusing stolen identities to publish further malicious updates.
The technical complexity of the malware is high, featuring a new module that specifically targets AI-powered coding tools. By deploying a malicious Model Context Protocol server, the worm registers fake tools that use prompt injection to trick AI assistants into reading private SSH keys, AWS credentials, and environment files. This data is then staged locally, allowing the attackers to bypass standard security filters by using the AI’s own capabilities against the user.
Beyond local theft, the campaign employs a weaponized GitHub Action to harvest secrets from CI/CD pipelines. To ensure the stolen data reaches its destination, the malware utilizes HTTPS exfiltration with a DNS fallback mechanism in case primary connections are blocked. The code also includes hook-based persistence and SSH-based propagation, ensuring that the worm can move laterally through a network even if npm-based spreading is restricted.
The researchers discovered that while 19 packages are actively malicious, four others appear to be sleeper packages held in reserve for future phases of the attack. A destructive kill switch is also embedded in the code, capable of wiping a user’s entire home directory if the malware loses access to its command servers. While this wiper functionality is currently disabled, its presence suggests the attackers are prepared to cover their tracks or cause significant damage if discovered.
Source: Malicious Npm Packages Steal Crypto Keys, Ci Secrets, And Api Tokens