Security researchers have uncovered a new supply chain attack targeting the NPM registry with malicious code that exhibits worm-like propagation capabilities. Named Sandworm_Mode, the attack was deployed through 19 packages published under two aliases, which relied on typo squatting to trick developers into executing the malicious code. According to cybersecurity firm Socket, the attack bears the hallmarks of the Shai-Hulud campaign that hit roughly 800 NPM packages in September and November 2025.[1]
Sandworm_Mode abuses stolen NPM and GitHub credentials for propagation and relies on a weaponized GitHub Action to harvest and exfiltrate CI secrets and to inject dependencies and workflows into repositories. The malicious packages, all of which have been removed from the registry, rely on typo squatting to pose as popular developer utilities, crypto tools, and AI coding utilities, such as Claude Code and OpenClaw.
To weaponize AI coding assistants, the malicious code installs a rogue MCP server (targeting Claude Code, Cursor, Continue, and Windsurf) and relies on prompt injection to exfiltrate SSH keys, AWS credentials, NPM tokens, and other secrets. The code also harvests API keys for LLM providers, environment variables, and .env files, and validates them. Additionally, it calls a local Ollama instance to modify variable names, rewrite control flows, insert decoy code, and encode strings.
Sandworm_Mode executes a multi-stage attack, where the initial credential and crypto key exfiltration is followed by deep harvesting of secrets from password managers, MCP server injection, persistence via Git hooks, worm propagation, and multi-channel exfiltration. “This two-phase design is deliberate: the most financially damaging operation, crypto key theft, runs instantly and unconditionally, while the noisier operations are deferred to evade short-lived sandbox analysis,” Socket explains. The code also includes a configurable but inactive dead switch capability to trigger home-directory wiping when access to GitHub and NPM is lost.
Like Shai-Hulud, Sandworm_Mode propagates by infecting existing packages but can also use carrier packages for propagation, adding a dependency reference to trigger a GitHub Actions pull request workflow and harvest and exfiltrate all repository secrets, EndorLabs explains. Developers are advised to remove any malicious packages they might have installed, check their packages for recent changes to JSON files, rotate all GitHub and NPM credentials, tokens, and CI secrets, and check for unexpected workflows.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.securityweek.com/new-sandworm_mode-supply-chain-attack-hits-npm/
Comments