Security researchers uncovered an active supply chain attack campaign distributing malicious npm packages designed to steal cryptographic keys, CI/CD secrets, and API tokens while propagating through compromised developer accounts.
Security researchers have exposed an ongoing supply chain attack campaign distributing at least 19 malicious npm packages that function as a "Shai-Hulud-like" worm. Dubbed SANDWORM_MODE by supply chain security firm Socket, these packages actively harvest sensitive credentials while automatically propagating through compromised npm and GitHub accounts.
The malicious packages contain sophisticated capabilities including:
- Credential harvesting targeting SSH keys, AWS credentials, .npmrc files, and environment variables
- GitHub Action-based theft of CI/CD pipeline secrets
- Automated propagation using stolen npm/GitHub identities
- Destructive kill switch for home directory wiping
- Polymorphic code rewriting using local AI models (currently disabled)
- Model Context Protocol (MCP) server injection targeting AI coding assistants
The MCP injection module specifically targets AI development tools including Claude Code, VS Code Continue, and Windsurf. As Socket researchers explained: "The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting." The module stealthily harvests API keys for nine major AI providers including Anthropic, Cohere, Google AI, and OpenAI.
The attack operates in two stages: an initial credential harvesting phase followed by a secondary payload deployment after 48-96 hours that enables deeper system compromise. Researchers also identified related malicious packages:
- buildrunner-dev: Delivers Pulsar RAT via image steganography
- eslint-verify-plugin: Deploys Mythic C2 agents (Poseidon for Linux, Apfell for macOS)
- solid281 VS Code extension: Drops ScreenConnect RAT and reverse shells
Affected Platforms
- Node.js development environments
- CI/CD pipelines (GitHub Actions)
- AI-assisted development tools (VS Code, Claude, Cursor)
- Windows, macOS, and Linux systems
Recommended Actions
- Immediately remove these identified malicious packages
- Rotate all npm/GitHub tokens and CI/CD secrets
- Audit package.json, lockfiles, and .github/workflows for unexpected changes
- Monitor for suspicious processes accessing SSH keys or credential files
- Implement supply chain security tools for dependency scanning
Socket warns: "The destructive and propagation behaviors remain real and high-risk. Defenders should treat these packages as active compromise risks rather than benign test artifacts." The discovery follows a pattern of escalating attacks against development infrastructure, with three separate research teams (Socket, Veracode/JFrog, and Checkmarx) identifying overlapping threats within days.
Comments
Please log in or register to join the discussion