New npm Malware Spreads Itself in Supply Chain Attack

A newly discovered malware campaign is actively targeting software developers through the popular npm package registry. This sophisticated attack, identified by security researchers, involves 19 typosquatting npm packages that impersonate legitimate tools to steal sensitive data and, critically, spread themselves automatically across development environments. Dubbed “SANDWORM_MODE,” this operation represents a concerning evolution in supply chain threats, showcasing worm-like behavior designed to propagate through the software ecosystem itself.

The campaign builds upon techniques seen in previous attacks, such as the “Shai-Hulud” worm discovered last year. While it may be a copycat or descendant, it maintains a similar thematic naming convention, using Sandworm-themed environment variables to control its functions. The malicious packages were published by two accounts using the aliases ‘official334’ and ‘javaorg’, and they cleverly mimic popular utilities like AI coding assistants and crypto tools to avoid immediate suspicion.

Once a developer mistakenly installs one of these packages, a hidden loader is executed. This loader immediately begins searching for and stealing valuable credentials, including API keys, SSH keys, .npmrc credentials, and cryptocurrency wallet keys. The malware operates in two distinct stages, with a deliberate delay before activating the second phase, unless it detects a continuous integration (CI) environment, in which case it acts immediately to exploit automated systems.

The second stage is far more invasive. It performs a deep harvest of the infected system, targeting password manager command-line interfaces, local SQLite databases for applications like Apple Notes, and conducts a full filesystem scan for additional crypto assets. All stolen data is then exfiltrated through multiple channels: HTTPS posts to a Cloudflare Worker, uploads to private GitHub repositories controlled by the attackers, and DNS tunneling to obscure the data theft.

Perhaps the most dangerous aspect of this malware is its self-propagation capability. After harvesting authentication tokens for services like GitHub or npm, it automatically modifies project files to include the malicious package and uses the victim’s own account to push these changes or publish new compromised packages. To ensure persistence, it installs a malicious Git hook that can re-download the payload, making cleanup difficult.

The attack also specifically targets modern AI coding assistants, including Claude Code, Cursor, and VS Code Continue, by injecting a rogue Model Context Protocol (MCP) server into their configuration. This allows the threat actor to secretly instruct the AI assistant to read sensitive files and send their contents out of the network. Additionally, the malware harvests API keys for nine major large language model providers from environment variables.

Following disclosure by researchers, a coordinated takedown disrupted the campaign’s infrastructure. Cloudflare, GitHub, and npm all took action to remove malicious services, repositories, and packages. Developers who may have been affected are strongly advised to take several steps. First, remove any suspicious packages and delete the node_modules directory. Any system where the packages ran should be considered compromised, necessitating the rotation of all potentially exposed credentials like npm and GitHub tokens.

It is also crucial to review recent changes to project configuration files, such as package.json and GitHub workflows, for any unauthorized modifications. Developers should audit global Git hook templates for unfamiliar scripts and inspect AI coding assistant configuration files for unexpected MCP server entries. Proactive credential rotation and a thorough system review are essential to mitigate the risks posed by this advanced supply chain attack.

(Source: HelpNet Security)