An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.

Socket

Socket's Threat Research Team has uncovered SANDWORM_MODE, an active npm supply chain worm campaign spanning at least 19 malicious packages published under two aliases. The worm uses typosquatting to impersonate popular Node.js utilities and AI coding tools (including Claude Code and OpenClaw), then executes a multi-stage payload that harvests developer and CI credentials, exfiltrates data via HTTPS, GitHub API, and DNS tunneling, and propagates by abusing stolen npm/GitHub tokens. A novel capability injects rogue MCP servers into AI coding assistant configs (Claude Code, Cursor, VS Code Continue, Windsurf) with embedded prompt injections that silently steal SSH keys, AWS credentials, and API keys for nine LLM providers. The worm also plants malicious GitHub Actions workflows, persists via global git hook templates, and includes a dormant polymorphic engine designed to use a local Ollama instance for self-rewriting. A destructive dead switch (currently disabled) can wipe the user's home directory if exfiltration and propagation channels are lost. npm has removed the packages and GitHub has taken down the associated infrastructure.

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow...

Public GitHub Action: ci-quality/code-quality-check #

Indicators of Compromise and Detection Artifacts #