Hacking

Malicious npm Packages Spread Worm-Like Stealer & RATs

Published  ·  3 min read

Cybersecurity firm Socket has uncovered an active supply-chain worm campaign codenamed SANDWORM_MODE that abuses at least 19 malicious npm packages to harvest credentials, steal cryptocurrency keys, and inject malicious servers into AI coding assistants.

The packages published under two aliases, official334 and javaorg, mimic legitimate tools and libraries. They include:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
5. [email protected]
6. [email protected]
7. [email protected]
8. [email protected]
9. [email protected]
10. [email protected]
11. [email protected]
12. [email protected]
13. [email protected]
14. [email protected]
15. [email protected]
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]

Four additional "sleeper" packages (ethres, iru-caches, iruchache, uudi) contain no active malice yet, likely reserved for future activation.

Core Capabilities
The malware retains hallmarks of prior Shai-Hulud waves but adds:
1. GitHub API exfiltration with DNS fallback
2. Hook-based persistence
3. SSH propagation fallback
4. McpInject module ; deploys a malicious Model Context Protocol (MCP) server that targets AI coding assistants (Claude Code, Claude Desktop, Cursor, VS Code Continue, Windsurf)
5. Prompt injection to exfiltrate ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, and .env files
6. Harvests API keys from nine LLM providers (Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, Together)
7. Polymorphic engine (disabled in current samples) that uses local Ollama + DeepSeek Coder to obfuscate code (rename variables, rewrite control flow, insert junk, encode strings)

Infection Chain
1. First stage ; Captures credentials and crypto keys, loads second stage after 48-hour delay (+ per-machine jitter up to 48 more hours).
2. Second stage ; Deeper harvesting (password managers), worm-like propagation (abuses stolen npm/GitHub identities), MCP injection for AI assistants, full exfiltration.
3. Kill switch ; Destructive routine can wipe home directory if GitHub/npm access is lost (off by default in detected samples).

Socket warns the campaign shows deliberate, intentional distribution , not accidental release  with feature flags indicating ongoing iteration (e.g., toggles for destructive routines or polymorphism).

Related npm & Extension Threats
1. Veracode & JFrog flagged buildrunner-dev and eslint-verify-plugin delivering Pulsar RAT (Windows) and Mythic/Apfell agents (Linux/macOS) , including fake password dialogs, Chrome data theft, clipboard capture, screenshots, and macOS admin user creation.
2. The rogue VS Code extension solid281 pretends that it's a genuine Solidity plugin. When it starts, it runs an obfuscated loader and drops either ScreenConnect (for Windows) or a Python reverse shell (for macOS/Linux).

Actions Required
1. Immediately delete any of the packages listed (npm uninstall )
2. Rotate npm/GitHub tokens, CI/CD secrets, SSH keys, AWS Credentials, and LLM API keys.
3. Audit your package.json, lockfiles, and .github/workflows/ for unexpected changes.
4. Look for MCP servers, prompt-injection artifacts, or anomalous outbound connections to any AI related domains.
5. Verify if there are any home directory wipe routines, or unusual Ollama/DeepSeek usage.

This campaign illustrates the way in which supply chain attacks are changing by attacking programmers in a mass manner.

They are now not only stealing credentials, but also stealing entire AI agent contexts and stealing LLM keys. With polymorphic capabilities on the horizon, defenders should treat these packages as active compromise risks.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067