SANDWORM_MODE

SANDWORM_MODE is the campaign name used by Socket’s Threat Research Team for an active Shai-Hulud-like software supply-chain worm campaign. The name is derived from SANDWORM_* environment-variable switches embedded in the malware’s runtime control logic. Based on the provided content, it is a malicious campaign rather than an attributed nation-state actor, and no state attribution is stated. The campaign spreads through typosquatting and AI toolchain poisoning across at least 19 malicious npm packages published under the npm aliases official334 and javaorg. Reported packages include claud-code@0.2.1, cloude-code@0.2.1, cloude@0.3.0, crypto-locale@1.0.0, crypto-reader-info@1.0.0, detect-cache@1.0.0, format-defaults@1.0.0, hardhta@1.0.0, locale-loader-pro@1.0.0, naniod@1.0.0, node-native-bridge@1.0.0, opencraw@2026.2.17, parse-compat@1.0.0, rimarf@1.0.0, scan-store@1.0.0, secp256@1.0.0, suport-color@1.0.1, veim@2.46.2, and yarsg@18.0.1. A representative package, suport-color@1.0.1, impersonates supports-color while preserving expected behavior. The malware executes on import while preserving package functionality. It steals credentials and crypto material from developer and CI environments, including npm and GitHub identities, and propagates by abusing stolen credentials to publish npm packages, modify repositories through the GitHub API, and fall back to SSH-agent-based propagation. It also injects malicious GitHub Actions workflows, including pull_request_target workflows that serialize secrets using ${{ toJSON(secrets) }} for exfiltration. Persistence is achieved through malicious git hooks by setting git config --global init.templateDir so future repositories inherit the hooks automatically. Exfiltration is multi-channel: HTTPS POST to a Cloudflare Worker endpoint, GitHub API uploads to attacker-controlled private repositories, and DNS tunneling to freefan[.]net and fanfree[.]net with DGA fallback seeded by "sw2025". The campaign specifically targets high-traffic Node.js developer utilities, crypto tooling, and AI coding tools. A notable capability is MCP server injection: the payload exports an McpInject module that writes a rogue MCP server into a hidden directory under the user’s home directory and injects it into configurations for Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf/Codeium. The malicious MCP server exposes tools named index_project, lint_check, and scan_dependencies, with embedded prompt-injection text instructing AI assistants to collect SSH keys, AWS credentials, .npmrc contents, project .env files, and secret-like environment variables. The malware also harvests API keys for OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistral, and Cohere. The payload is staged. Stage 1 performs lightweight credential harvesting and immediately exfiltrates discovered crypto keys via a dedicated drainHotline path. Stage 2 is AES-256-GCM encrypted and time-gated by a 48-hour base delay plus up to 48 hours of host-derived jitter, though this delay is bypassed in CI environments. The Stage 2 bundle exports Propagate, Exfil, DeadSwitch, McpInject, and GitHooks modules. Obfuscation and in-memory execution techniques described include base64 decoding, zlib inflation, XOR decryption, indirect eval, and in some variants Module._compile(). The campaign also uses a public GitHub repository, ci-quality/code-quality-check, created 2026-02-17, as a malicious GitHub Action masquerading as a code-quality scanner. The npm payload can be configured via SANDWORM_ACTION_REF to inject this Action into infected repositories, creating a bidirectional worm loop between npm packages and GitHub Actions. A destructive DeadSwitch capability that can wipe the user’s home directory when GitHub and npm access are simultaneously lost is present but disabled in the analyzed build. The content also notes a dormant polymorphic engine configured to use a local Ollama instance (deepseek-coder:6.7b), but it is disabled in the analyzed sample. Known alias in the provided content: sandworm_mode.