Security researchers have recently identified a new supply chain attack targeting the NPM registry. This attack, known as Sandworm Mode, is characterized by its ability to spread in a worm-like manner, posing significant threats to developers.
Overview of Sandworm Mode
The attack was executed through 19 packages, which were released under two aliases. These packages employed typosquatting techniques to deceive developers into running the harmful code. The cybersecurity firm Socket has noted similarities between this attack and the Shai-Hulud campaign, which affected approximately 800 NPM packages in late 2025.
Sandworm Mode exploits stolen NPM and GitHub credentials to propagate. It uses a specially crafted GitHub Action to extract and exfiltrate continuous integration (CI) secrets, inject dependencies, and alter workflows in repositories.
Targeted Packages and Techniques
The malicious packages, now removed from the registry, mimicked popular developer utilities, cryptocurrency tools, and AI coding utilities like Claude Code and OpenClaw. The attack further weaponizes AI coding assistants by installing a rogue MCP server aimed at tools such as Claude Code, Cursor, Continue, and Windsurf.
By using prompt injection, the attacker manages to exfiltrate SSH keys, AWS credentials, NPM tokens, and other sensitive data. It also collects API keys from large language model providers, scrutinizes environment variables, and validates .env files.
Implications and Recommendations
The Sandworm Mode attack involves a multi-stage process. Initially, it extracts credentials and crypto keys, followed by comprehensive secret harvesting from password managers, MCP server injection, persistence through Git hooks, worm propagation, and multi-channel exfiltration.
This two-phase process is strategic: the immediate theft of crypto keys causes significant financial harm, while noisier operations are delayed to circumvent brief sandbox analyses, according to Socket.
Developers are advised to uninstall any malicious packages, review their packages for recent JSON file changes, rotate GitHub and NPM credentials and tokens, and inspect for unexpected workflows. These measures are crucial in mitigating the risks posed by this sophisticated attack.
For further protection, developers should remain vigilant about similar threats and continually update their security practices to prevent future incidents.
