Security researchers have uncovered a new supply chain attack targeting the NPM registry with malicious code that exhibits worm-like propagation capabilities.
Dubbed Sandworm_Mode, the attack was deployed through 19 packages published under two aliases, which relied on typosquatting to trick developers into executing the malicious code.
According to cybersecurity firm Socket, the attack bears the hallmarks of the Shai-Hulud campaign that hit roughly 800 NPM packages in September and November 2025.
Sandworm_Mode abuses stolen NPM and GitHub credentials for propagation and relies on a weaponized GitHub Action to harvest and exfiltrate CI secrets and to inject dependencies and workflows into repositories.
The malicious packages, all of which have been removed from the registry, rely on typosquatting to pose as popular developer utilities, crypto tools, and AI coding utilities, such as Claude Code and OpenClaw.
To weaponize AI coding assistants, the malicious code installs a rogue MCP server (targeting Claude Code, Cursor, Continue, and Windsurf) and relies on prompt injection for the exfiltration of SSH keys, AWS credentials, NPM tokens, and other secrets.
The code also harvests API keys for LLM providers, environment variables, and .env files, and validates them.
Additionally, it calls a local Ollama instance to modify variable names, rewrite control flows, insert decoy code, and encode strings.
Sandworm_Mode executes a multi-stage attack, where the initial credential and crypto key exfiltration is followed by deep harvesting of secrets from password managers, MCP server injection, persistence via Git hooks, worm propagation, and multi-channel exfiltration.
“This two-phase design is deliberate: the most financially damaging operation, crypto key theft, runs instantly and unconditionally, while the noisier operations are deferred to evade short-lived sandbox analysis,” Socket explains.
The code also contains a configurable but inactive dead switch capability to trigger home-directory wiping when losing access to GitHub and NPM.
The same as Shai-Hulud, Sandworm_Mode propagates by infecting existing packages but can also use carrier packages for propagation, adding a dependency reference to trigger a pull request workflow in GitHub Action and harvest and exfiltrate all repository secrets, EndorLabs explains.
Developers are advised to remove any of the malicious packages they might have installed, to check their packages for recent changes to JSON files, rotate all GitHub and NPM credentials, tokens, and CI secrets, and check for unexpected workflows.
Related: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist
Related: GitHub Issues Abused in Copilot Attack Leading to Repository Takeover
Related: Hundreds of FortiGate Firewalls Hacked in AI-Powered Attacks: AWS
Related: Microsoft Warns of ClickFix Attack Abusing DNS Lookups
