Npm Packages Exploit Crypto Keys and CI Secrets

Npm Packages Exploit Crypto Keys and CI Secrets

Posted on By CWS

Introduction to the Threat

Cybersecurity experts have raised alarms about a new threat involving a group of harmful npm packages designed to steal credentials and cryptocurrency keys. Named SANDWORM_MODE by security firm Socket, this attack leverages at least 19 malicious npm packages to infiltrate developer environments. The campaign mimics previous Shai-Hulud attacks, embedding code to extract system data, tokens, secrets, and API keys while using stolen npm and GitHub identities for further spread.

Details of the Malicious Campaign

The malicious packages were released by two npm aliases, official334 and javaorg. These packages include:

Additionally, four dormant packages that currently lack harmful capabilities were identified. The attack also employs a GitHub Action to extract CI/CD secrets via HTTPS with a DNS fallback, including a destructive feature that wipes home directories if access to GitHub and npm is lost.

Advanced Malware Features

A key component of the malware, known as “McpInject,” targets AI coding assistants by deploying a malicious server. This server pretends to be a genuine tool, embedding prompts to access sensitive files like ~/.ssh/id_rsa. Furthermore, the malware targets various coding tools and harvests API keys from several language model providers. The payload includes a polymorphic engine designed to evade detection by altering variables and control flow.

Stages of the Attack Chain

The attack unfolds in two stages. The initial phase captures credentials and crypto keys, while the second, activated after 48 hours, intensifies data harvesting and propagation. Developers are advised to uninstall the identified packages, rotate tokens, and scrutinize configuration files for unauthorized changes. Security firm Socket suggests the threat actors are enhancing their methods, as indicated by certain toggles that disable destructive routines.

Related Security Concerns

The disclosure coincides with reports from Veracode and JFrog about other malicious npm packages. These packages, like “buildrunner-dev” and “eslint-verify-plugin,” are designed to deploy remote access trojans across various operating systems. The .NET malware from “buildrunner-dev” and the complex infection chain from “eslint-verify-plugin” underline the sophisticated nature of these threats, prompting developers to be vigilant against npm package vulnerabilities.

The Hacker News Tags:, , , , , , , ,

Related Posts

How to Deploy AI More Securely at Scale How to Deploy AI More Securely at Scale The Hacker News
APT28 Exploits MSHTML Vulnerability Before February 2026 Patch APT28 Exploits MSHTML Vulnerability Before February 2026 Patch The Hacker News
PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse The Hacker News
Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms The Hacker News
Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems The Hacker News
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution The Hacker News