Cybersecurity researchers have uncovered what they claim is an active “Shai-Hulud-like” supply chain worm campaign that leverages a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft.
The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket. Similar to previous waves of Shai-Hulud attacks, the malicious code embedded in the package siphons system information, access tokens, environment secrets, and API keys from the developer environment and leverages stolen npm and GitHub identities to automatically propagate and expand its reach.
“This sample retains the features of Shai-Hulud and adds DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with built-in prompt injection targeting AI coding assistants, and GitHub API extraction with LLM API key collection,” the company said.
Below are the packages published to npm by two npm publisher aliases, official334 and javaorg.
claud-code@0.2.1cloude-code@0.2.1cloude@0.3.0 crypto-locale@1.0.0 crypto-reader-info@1.0.0 detect-cache@1.0.0 format-defaults@1.0.0hardhta@1.0.0 locale-loader-pro@1.0.0 naniod@1.0.0 node-native-bridge@1.0.0 opencraw@2026.2.17 parse-compat@1.0.0rimarf@1.0.0 scan-store@1.0.0 secp256@1.0.0 suport-color@1.0.1 veim@2.46.2 yarsg@18.0.1
We also identified four sleeper packages that do not contain any malicious functionality.
ethres iru-caches iruchache uudi
This package includes a weaponized GitHub action that collects CI/CD secrets and extracts them over HTTPS with DNS fallback, going beyond npm-based propagation. It also has a destructive routine that acts as a kill switch by triggering a wipe of your home directory if you lose access to GitHub or npm. The wiper function is currently turned off by default.
Another key component of this malware is the “McpInject” module that specifically targets AI coding assistants by deploying a malicious Model Context Protocol (MCP) server and injecting AI coding assistants into the tool configuration. The MCP server registers three seemingly innocuous tools masquerading as legitimate tool providers. Each tool has embedded prompt injections that read the contents of ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, and .env files and stage them in a local directory for later extraction.
This module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. We also collect API keys for nine large-scale language model (LLM) providers: Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, and Together.
In addition, the payload includes a polymorphic engine configured to call a local Ollama instance using the DeepSeek Coder model to rename variables, rewrite control flow, inject junk code, and encode strings to avoid detection. Although the engine is turned off in currently detected packages, the inclusion of this feature suggests that the operators intend to release further iterations of the malware in the future.
The entire attack chain unfolds in two stages. The first stage component retrieves credentials and cryptocurrency keys, then loads the second stage. This is followed by more detailed collection of credentials from password managers, worm-like propagation, MCP injection, and full exfiltration. The second stage will not become active until 48 hours have passed (up to an additional 48 hours of jitter per machine).
We recommend that users who have installed any of the aforementioned packages remove them immediately, rotate their npm/GitHub tokens and CI secrets, and check package.json, lockfiles, and .github/workflows/ for unexpected changes.
“Some feature flags and guardrails still suggest that threat actors are iterating on features (e.g., destructive routines in some builds and toggles to disable polymorphic rewrites),” Socket said. “However, the appearance of the same worm code in multiple typosquatting packages and publisher aliases indicates intentional distribution rather than an accidental release.”
“Destructive and propagating behavior remains a reality and the risks are high, so defenders must treat these packages as active compromise risks rather than benign test artifacts.”
This disclosure came as Veracode and JFrog detailed two other malicious npm packages named “buildrunner-dev” and “eslint-verify-plugin” respectively. These packages are designed to deliver remote access Trojans (RATs) targeting Windows, macOS, and Linux systems. The .NET malware deployed by buildrunner-dev is Pulsar RAT, an open source RAT distributed via a PNG image hosted on i.ibb.[.]Co., Ltd.
Eslint-verify-plugin, on the other hand, “deploys a sophisticated multi-step infection chain targeting macOS and Linux environments while masquerading as the legitimate ESLint utility,” JFrog said.
On Linux, the package deploys the Mythic C2 framework’s Poseidon agent. This facilitates a variety of post-exploitation functions, including file manipulation, credential retrieval, and lateral movement. The macOS infection sequence runs Apfell, a JavaScript for Automation (JXA) agent for macOS, performs extensive data collection, and creates a new macOS user with administrative privileges.
Some of the data stolen by the agent is:
System information System credentials via fake password dialog Google Chrome browser bookmarks Clipboard contents Files, login data, and bookmarks associated with iCloud Keychain and Chrome cookies File metadata
“The eslint-verify-plugin package is a direct example of how a malicious npm package can escalate from a simple installation hook to a system-wide compromise,” JFrog said. “By masquerading as a legitimate utility, the attackers were able to hide a multi-step infection chain.”
This finding also follows a report from Checkmarx, which flagged a rogue VS Code extension known as “solid281.” This extension disguises itself as the official Solidity extension, but hides secret functionality that automatically runs a highly obfuscated loader on application startup, dropping ScreenConnect on Windows, and a Python reverse shell on macOS and Linux machines.
“This reflects a broader pattern that other teams have reported, with Solidity developers appearing to be specifically targeted, including campaigns using fake Solidity extensions to install ScreenConnect and deploy subsequent payloads,” Checkmarx noted.
Source link
