Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Sandworm Mode: New NPM Supply Chain Attack Uncovered

Sandworm Mode: New NPM Supply Chain Attack Uncovered

Posted on February 24, 2026 By CWS

Security researchers have recently identified a new supply chain attack targeting the NPM registry. This attack, known as Sandworm Mode, is characterized by its ability to spread in a worm-like manner, posing significant threats to developers.

Overview of Sandworm Mode

The attack was executed through 19 packages, which were released under two aliases. These packages employed typosquatting techniques to deceive developers into running the harmful code. The cybersecurity firm Socket has noted similarities between this attack and the Shai-Hulud campaign, which affected approximately 800 NPM packages in late 2025.

Sandworm Mode exploits stolen NPM and GitHub credentials to propagate. It uses a specially crafted GitHub Action to extract and exfiltrate continuous integration (CI) secrets, inject dependencies, and alter workflows in repositories.

Targeted Packages and Techniques

The malicious packages, now removed from the registry, mimicked popular developer utilities, cryptocurrency tools, and AI coding utilities like Claude Code and OpenClaw. The attack further weaponizes AI coding assistants by installing a rogue MCP server aimed at tools such as Claude Code, Cursor, Continue, and Windsurf.

By using prompt injection, the attacker manages to exfiltrate SSH keys, AWS credentials, NPM tokens, and other sensitive data. It also collects API keys from large language model providers, scrutinizes environment variables, and validates .env files.

Implications and Recommendations

The Sandworm Mode attack involves a multi-stage process. Initially, it extracts credentials and crypto keys, followed by comprehensive secret harvesting from password managers, MCP server injection, persistence through Git hooks, worm propagation, and multi-channel exfiltration.

This two-phase process is strategic: the immediate theft of crypto keys causes significant financial harm, while noisier operations are delayed to circumvent brief sandbox analyses, according to Socket.

Developers are advised to uninstall any malicious packages, review their packages for recent JSON file changes, rotate GitHub and NPM credentials and tokens, and inspect for unexpected workflows. These measures are crucial in mitigating the risks posed by this sophisticated attack.

For further protection, developers should remain vigilant about similar threats and continually update their security practices to prevent future incidents.

Security Week News Tags:AI security, Cybersecurity, developer tools, GitHub, malicious code, NPM, Sandworm Mode, Socket, supply chain attack, typosquatting

Post navigation

Previous Post: Reddit Faces £14.47 Million Fine for Child Data Breach
Next Post: Critical Ruby Flaw Could Lead to System Takeover

Related Posts

Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks Security Week News
Oracle Releases June Security Patch with 245 Fixes Oracle Releases June Security Patch with 245 Fixes Security Week News
Microsoft to Lay Off About 3% of Its Workforce Microsoft to Lay Off About 3% of Its Workforce Security Week News
Google’s B Wiz Acquisition Gets EU Nod Google’s $32B Wiz Acquisition Gets EU Nod Security Week News
Cisco Fixes Critical Security Flaw in Identity Services Cisco Fixes Critical Security Flaw in Identity Services Security Week News
Bluekit Phishing Kit Leverages AI for Advanced Features Bluekit Phishing Kit Leverages AI for Advanced Features Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark