Malicious npm Packages Steal Crypto Keys and CI Secrets in SANDWORM_MODE Campaign

Home » News

Yash

News

2 min. read

Published on February 24, 2026

Cybersecurity firm Socket uncovered 19 malicious npm packages in the SANDWORM_MODE supply chain attack. These harvest crypto keys, CI secrets, API tokens, and target AI coding tools. The campaign evolves Shai-Hulud worms with GitHub propagation and MCP injection.

Packages like [email protected] and [email protected] use typosquatting. They grab system info, tokens, and npm/GitHub creds. A GitHub Action steals CI secrets via HTTPS or DNS fallback.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Malware waits 48-96 hours before stage 2 activates. It then spreads using stolen identities. A kill switch can wipe home directories if C2 fails.

Attack Capabilities

First stage captures basics like SSH keys and .env files. Second stage digs deeper into password managers and propagates.

McpInject targets Claude Code, Cursor, VS Code Continue. It runs fake MCP servers with prompt injection to exfiltrate ~/.ssh/id_rsa, AWS creds, npmrc.

Polymorphic engine uses local Ollama + DeepSeek Coder to rewrite code and evade scans. Currently disabled but ready.

Packages spread via official334 and javaorg publishers. Four sleepers (ethres, iru-caches) sit dormant.

Malware Features Table

Component	Targets	Exfiltration
Credential Harvest	SSH keys, .env, npmrc, AWS	HTTPS/DNS fallback
GitHub Action	CI/CD secrets	Stolen npm/GitHub tokens
McpInject	Claude, Cursor, VS Code	AI tool prompt injection
Propagation	npm publishes, SSH spread	Stolen identities
Polymorphic	Variable rename, junk code	Ollama + DeepSeek

AI coding assistants face new risks. Malicious MCP tools read sensitive files during normal use.

Veracode found buildrunner-dev dropping Pulsar RAT via PNG. JFrog’s eslint-verify-plugin deploys Poseidon (Linux) and Apfell (macOS).

Checkmarx flagged solid281 VS Code extension. It mimics Solidity but drops ScreenConnect or Python shells.

Remove suspect packages now. Rotate all tokens. Check workflows and lockfiles for changes.

FAQ

What is SANDWORM_MODE?

npm supply chain worm stealing creds and targeting AI tools. 19 packages identified by Socket.

Which packages to remove?

claud-code, crypto-locale, [email protected], and 17 more.

How does AI targeting work?

McpInject runs fake servers. Prompt injection grabs SSH/AWS keys via tools.

What triggers stage 2?

48+ hours delay with jitter. Then full propagation and exfil.

Other recent npm threats?

buildrunner-dev (Pulsar RAT), eslint-verify-plugin (Poseidon/Apfell), solid281 VS Code extension.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by:

Attack Capabilities

Malware Features Table

Related Threats

FAQ

Leave a Reply Cancel reply