A supply chain worm resembling earlier Shai-Hulud malware has been discovered spreading through malicious npm packages.
According to Socket’s Threat Research Team, the campaign, tracked as SANDWORM_MODE, has been identified across at least 19 npm packages published under two aliases, official334 and javaorg.
The operation builds on known supply chain tradecraft but adds a notable twist: direct interference with AI coding tools.
Researchers said the malware not only stole developer and CI credentials and propagated through compromised npm and GitHub accounts, but also injected rogue MCP servers into local AI assistant configurations and harvested API keys for nine large language model providers.
AI Tooling And Typosquatting Strategy
The worm primarily spread through typosquatting packages that impersonated widely used Node.js libraries and emerging AI development tools.
One example, suport-color@1.0.1, mimicked the legitimate supports-color package while preserving its expected behavior. Behind the scenes, it executed a concealed, multi-stage payload when imported.
Among the targets were tools linked to Claude Code and OpenClaw, the latter having recently surpassed 210,000 stars on GitHub.
The malware deployed a hidden MCP server into configurations for AI assistants such as Claude Desktop, Cursor, VS Code Continue and Windsurf. Embedded prompt injections instructed the assistant to quietly collect SSH keys, AWS credentials, npm tokens and environment variables containing secrets.
Multi-Stage Worm With CI Focus
The payload used layered obfuscation techniques including base64 encoding, zlib compression and AES-256-GCM encryption.
Stage 1 immediately harvested credentials and exfiltrates discovered crypto keys within seconds of installation.
Stage 2, delayed by 48 to 96 hours on developer machines but triggered instantly in CI environments, performed deeper harvesting and initiated propagation.
Exfiltration attempts followed a three-channel cascade:
-
HTTPS POST requests to a Cloudflare Worker endpoint
-
Uploads to attacker-controlled private GitHub repositories
-
DNS tunneling using a domain generation algorithm fallback
The worm could propagate by publishing infected npm packages, modifying repositories via the GitHub API and, if necessary, pushing changes through SSH.
Socket said it notified npm, GitHub and Cloudflare before publishing its findings. Cloudflare reportedly disabled associated infrastructure, npm removed the malicious packages and GitHub dismantled related repositories.
Developers who installed the affected packages are urged to rotate credentials and review repositories and CI workflows for unauthorized modifications.
