Feb 24
/
Latest News
New "SANDWORM_MODE" Malware Worm Targets Developers via Malicious npm Packages
Security researchers at Socket have identified a sophisticated new supply chain attack targeting software developers through a series of 19 "typosquatting" packages published on the npm registry. The campaign, dubbed “SANDWORM_MODE,” marks a rare and concerning shift toward worm-like malware specifically designed to self-propagate through development environments rather than traditional end-user systems. By impersonating popular utilities—including AI coding tools like Claude Code and various cryptocurrency libraries—the malicious packages maintain the expected functionality of the original software to avoid detection while quietly compromising the host.
The operation was uncovered by the Socket research team, who noted that the campaign appears to be a successor or high-fidelity copycat of last year’s “Shai-Hulud” worm. This latest iteration utilizes Dune-themed environment variables to control its behavior and is published under the aliases official334 and javaorg. Once a developer unknowingly imports a compromised package, the malware executes a hidden loader that immediately begins exfiltrating sensitive data. Cryptocurrency wallet keys are the first to be targeted, often stolen within seconds of installation, followed by SSH keys, API tokens, and .npmrc credentials.
To evade automated detection, the malware employs a strategic delay. On standard developer machines, the second stage of the attack is paused for 48 to 96 hours. However, if the loader detects a Continuous Integration (CI) environment, such as GitHub Actions, Jenkins, or CircleCI, it bypasses the delay to strike immediately. This second stage performs a deep harvest of the system, targeting password managers like Bitwarden and 1Password, as well as local databases from Apple Notes and macOS Messages. Stolen data is then funneled out through a sophisticated triple-channel system involving Cloudflare Workers, authenticated GitHub API uploads, and DNS tunneling.
Beyond simple data theft, "SANDWORM_MODE" is built for persistence and expansion. The malware scans local machines for Git credentials to automatically inject malicious code into the victim’s own projects, effectively using the developer's account to push the infection to other users. It also installs malicious Git hooks to ensure the payload re-executes even after a cleanup attempt. In a modern twist, the researchers found the worm specifically targets AI coding assistants like Cursor and Claude Desktop by injecting rogue Model Context Protocol (MCP) servers. This allows attackers to manipulate the AI to leak sensitive files or follow hidden instructions.
Following the discovery, a coordinated response from Cloudflare, GitHub, and npm has successfully disrupted the campaign’s infrastructure and removed the malicious packages. Security experts are advising any developers who may have interacted with the suspicious libraries to delete their node_modules directories, rotate all credentials—including GitHub and npm tokens—and audit their global Git hooks and AI assistant configurations for unauthorized entries. While the current version of the malware contains a self-mutation system that remained inactive, its presence suggests that future iterations of the worm may become even harder to track.
The operation was uncovered by the Socket research team, who noted that the campaign appears to be a successor or high-fidelity copycat of last year’s “Shai-Hulud” worm. This latest iteration utilizes Dune-themed environment variables to control its behavior and is published under the aliases official334 and javaorg. Once a developer unknowingly imports a compromised package, the malware executes a hidden loader that immediately begins exfiltrating sensitive data. Cryptocurrency wallet keys are the first to be targeted, often stolen within seconds of installation, followed by SSH keys, API tokens, and .npmrc credentials.
To evade automated detection, the malware employs a strategic delay. On standard developer machines, the second stage of the attack is paused for 48 to 96 hours. However, if the loader detects a Continuous Integration (CI) environment, such as GitHub Actions, Jenkins, or CircleCI, it bypasses the delay to strike immediately. This second stage performs a deep harvest of the system, targeting password managers like Bitwarden and 1Password, as well as local databases from Apple Notes and macOS Messages. Stolen data is then funneled out through a sophisticated triple-channel system involving Cloudflare Workers, authenticated GitHub API uploads, and DNS tunneling.
Beyond simple data theft, "SANDWORM_MODE" is built for persistence and expansion. The malware scans local machines for Git credentials to automatically inject malicious code into the victim’s own projects, effectively using the developer's account to push the infection to other users. It also installs malicious Git hooks to ensure the payload re-executes even after a cleanup attempt. In a modern twist, the researchers found the worm specifically targets AI coding assistants like Cursor and Claude Desktop by injecting rogue Model Context Protocol (MCP) servers. This allows attackers to manipulate the AI to leak sensitive files or follow hidden instructions.
Following the discovery, a coordinated response from Cloudflare, GitHub, and npm has successfully disrupted the campaign’s infrastructure and removed the malicious packages. Security experts are advising any developers who may have interacted with the suspicious libraries to delete their node_modules directories, rotate all credentials—including GitHub and npm tokens—and audit their global Git hooks and AI assistant configurations for unauthorized entries. While the current version of the malware contains a self-mutation system that remained inactive, its presence suggests that future iterations of the worm may become even harder to track.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.