According to cybersecurity researchers, there is an ongoing "Shai-Hulud-like" supply chain worm campaign that has used a group of at least 19 malicious npm packages to facilitate cryptocurrency key theft and credential harvesting. The supply chain security firm Socket has given the campaign the codename SANDWORM_MODE. Similar to previous Shai-Hulud attack waves, the malicious code incorporated into the packages has the ability to access tokens, environment secrets, and API keys from developer environments, siphon system information, and automatically spread by abusing stolen GitHub and npm identities.

"GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API are added to the sample while maintaining Shai-Hulud's distinguishing features." "Key harvesting," the business declared. claud-code@0.2.1 cloude-code@0.2.1 cloude@0.3.0 crypto-locale@1.0.0 crypto-reader-info@1.0.0 detect-cache@1.0.0 format-defaults@1.0.0 hardhta@1.0.0 locale-loader-pro@1.0.0 naniod@1.0.0 node-native-bridge@1.0.0 opencraw@2026 are the packages that were published to npm by two npm publisher aliases, official334 and javaorg.2.17 parse-compat@1.0.0 Rimarf@1.0.0 scan-store@1.0.0 secp256@1.0.0 support-color@1.0.1 veim@2.46.2 yarsg@18.0.1 Four sleeper packages without any malicious features were also found.

Ethres iru-caches iruchache uudi The packages include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them via HTTPS with DNS fallback, going beyond npm-based propagation.

The same worm code, however, showing up in several typosquatting packages and publisher aliases suggests deliberate distribution as opposed to an unintentional release. "Defenders should treat these packages as active compromise risks rather than benign test artifacts, as the destructive and propagation behaviors remain real and high-risk." The revelation follows Veracode and JFrog's descriptions of two additional malicious npm packages, "buildrunner-dev" and "eslint-verify-plugin," respectively, that are intended to distribute a remote access trojan (RAT) that targets Linux, macOS, and Windows.

Pulsar RAT, an open-source RAT distributed through a PNG image hosted on i.ibb[. ]co, is the.NET malware used by buildrunner-dev. However, according to JFrog, Eslint-verify-plugin "masquerades as a legitimate ESLint utility while deploying a sophisticated, multi-stage infection chain targeting macOS and Linux environments."

The package installs a Poseidon agent for the Mythic C2 framework on Linux. File operations, credential harvesting, and lateral movement are just a few of the many post-exploitation features it makes possible.