SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools

A sophisticated supply chain worm dubbed SANDWORMMODE is actively targeting the npm ecosystem, compromising at least 19 malicious packages designed to steal developer credentials and CI/CD secrets while automatically spreading across repositories and workflows.

Researchers at Socket identified the campaign, which uses typosquatted npm packages and poisoned GitHub Actions to infect developer machines and CI pipelines simultaneously.

Multi-Stage Attack Chain

The attack executes immediately upon npm install, harvesting sensitive data including:

• npm and GitHub tokens from .npmrc files
• Environment variables and configuration secrets
• Cryptocurrency wallet keys
• Password manager databases
• Cloud provider credentials

The worm uses multiple exfiltration channels, including Cloudflare Worker endpoints for initial data theft and DNS tunneling as a fallback method.

Self-Propagation Mechanisms

What makes SANDWORMMODE particularly dangerous is its ability to spread autonomously:

• Credential Abuse: Uses stolen npm/GitHub tokens to push infected package versions
• Carrier Injection: Adds hidden dependencies to victim repositories via GitHub API
• Workflow Injection: Deploys malicious GitHub Actions that appear as legitimate code quality checks
• SSH Fallback: If API access fails, abuses the victim’s SSH agent to clone repos and push changes
• Git Hook Persistence: New repositories inherit infection automatically

AI Tool Targeting

In a novel attack vector, the worm specifically targets AI coding assistants. It installs rogue MCP (Model Context Protocol) servers into configurations for:

• Claude Code
• Cursor
• VS Code AI extensions

Using hidden prompt injection instructions, the malware tricks AI assistants into reading SSH keys, cloud credentials, and API tokens—then exfiltrating them to attacker-controlled servers. The campaign also harvests API keys from multiple major LLM providers.

Dead Switch Capability

Although currently disabled, the malware includes a destructive “dead switch” feature that could wipe a user’s home directory if both GitHub and npm access are lost—indicating the campaign is still evolving.

Recommended Actions

Socket’s Threat Research Team urges organizations to:

• Audit all npm dependencies for the 19 identified malicious packages
• Rotate all npm tokens, GitHub PATs, and exposed credentials immediately
• Review GitHub Actions workflows for unauthorized changes
• Monitor for suspicious repository modifications and auto-merge attempts
• Inspect AI tool configurations for unauthorized MCP server entries

The campaign represents a significant evolution in supply chain attacks, combining traditional credential theft with AI-assisted exploitation and autonomous propagation.

Source: Cybersecurity News / Socket Security