SANDWORM_MODE

An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages... One representative example, suport-color@1.0.1, impersonates supports-color... Other packages in the set follow the same look-alike branding strategy to increase the likelihood of accidental installation.

"The campaign, tracked as SANDWORMMODE, uses typosquatted npm packages and poisoned GitHub Actions to infect both developer machines and CI pipelines."

The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.

The code follows hallmarks analyzed in prior Shai-Hulud variants, including credential theft from developer and CI environments and automated propagation by abusing stolen npm and GitHub identities to move laterally through the software supply chain.

"spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages"; "typosquat npm packages impersonating known utilities"

"weaponized GitHub Action that harvests CI secrets"; "plants CI backdoors by injecting pull_request_target workflows that serialize secrets"; "injects workflows referencing this Action"

...persists via git hooks that survive into future repositories through a global init.templateDir setting... It hardens persistence by setting git config --global init.templateDir so new repositories inherit malicious hooks automatically.

The payload is split across 45 base64 chunks... At runtime, the chunks are sorted, concatenated, base64-decoded, and zlib-inflated, then executed entirely in memory via Node’s internal Module._compile() API... executed via eval().

...persists via git hooks that survive into future repositories through a global init.templateDir setting... It hardens persistence by setting git config --global init.templateDir so new repositories inherit malicious hooks automatically.

The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.

"...self-propagates by leveraging harvested npm and GitHub tokens to publish the malicious package through victims’ npm accounts or inject itself into the victim’s GitHub repos."

The packages go beyond npm-based propagation by including a weaponized GitHub Action that harvests CI/CD secrets...

"persists via git hooks that survive into future repositories through a global init.templateDir setting"; "git config --global init.templateDir so new repositories inherit malicious hooks automatically"

"Persistence... Uses git hooks so new repos inherit infection"

The module then injects this server into every AI coding assistant config it finds on disk: Claude Code..., Cursor..., VS Code Continue..., and Windsurf/Codeium... Each gets a mcpServers entry pointing to the deployed server.js.

...persists via git hooks that survive into future repositories through a global init.templateDir setting... It hardens persistence by setting git config --global init.templateDir so new repositories inherit malicious hooks automatically.

The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.

"...self-propagates by leveraging harvested npm and GitHub tokens to publish the malicious package through victims’ npm accounts or inject itself into the victim’s GitHub repos."

The packages go beyond npm-based propagation by including a weaponized GitHub Action that harvests CI/CD secrets...

"persists via git hooks that survive into future repositories through a global init.templateDir setting"; "git config --global init.templateDir so new repositories inherit malicious hooks automatically"

"Persistence... Uses git hooks so new repos inherit infection"

Socket AI Scanner’s analysis... highlights an obfuscated import-time loader... a large embedded base64 blob is decompressed with zlib.inflateSync() and executed via eval()... base64 decode + zlib inflate + XOR decrypt + indirect eval().

Another significant component of the malware is an "McpInject" module that specifically targets AI coding assistants by deploying a malicious model context protocol (MCP) server and injecting it into their tool configurations. The MCP server masquerades as a legitimate tool provider...

The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.

The deeper Stage 2 capabilities are then gated by a 48-hour base delay... plus per-machine jitter... In CI environments... the time gate is bypassed entirely... while the noisier operations are deferred to evade short-lived sandbox analysis.

Other variants... write the decoded script to a random hidden temp file, require() it, then immediately unlink() it... Stage 1 writes decrypted Stage 2 to a transient .node_<hex>.js file under /dev/shm... require()s it, and deletes it.

The module then injects this server into every AI coding assistant config it finds on disk: Claude Code..., Cursor..., VS Code Continue..., and Windsurf/Codeium... Each gets a mcpServers entry pointing to the deployed server.js.

The code follows hallmarks analyzed in prior Shai-Hulud variants, including credential theft from developer and CI environments... On import, Stage 1 immediately performs a lightweight credential harvest (collectAll: npm tokens, GitHub tokens, environment secrets, crypto keys).

The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments... It also harvests API keys for nine large language models (LLM) providers.

Once the time gate opens, Stage 2 performs deep harvesting: password managers (Bitwarden, 1Password, LastPass via their respective CLIs)... | As a secondary collection step, the module also harvests API keys for nine LLM providers... from environment variables and .env files...

The module then injects this server into every AI coding assistant config it finds on disk: Claude Code..., Cursor..., VS Code Continue..., and Windsurf/Codeium... Each gets a mcpServers entry pointing to the deployed server.js.

The MCP server masquerades as a legitimate tool provider and registers three seemingly-harmless tools, each of which embeds a prompt injection to read the contents of ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, and .env files.

The malicious code embedded into the packages comes with capabilities to siphon system information... Some of the data stolen by the agent are as follows - System information

The deeper Stage 2 capabilities are then gated by a 48-hour base delay... plus per-machine jitter... In CI environments... the time gate is bypassed entirely... while the noisier operations are deferred to evade short-lived sandbox analysis.

Additional propagation fallback... SSH-assisted fallback when API propagation fails (SSH_AUTH_SOCK, GitHub SSH validation, clone/push)... Vector 3 → SSH agent (fallback)... ssh -T git@github.com...

The Propagate module implements three independent propagation vectors... npm publish... GitHub API... SSH push... automated propagation by abusing stolen npm and GitHub identities to move laterally through the software supply chain.

It then exfiltrates all collected data... through three channels in cascade... and DNS tunneling via base32-encoded queries to freefan[.]net (primary) and fanfree[.]net (secondary), with a DGA fallback seeded by "sw2025"...

"with a DGA fallback seeded by \"sw2025\" that generates domains across ten TLDs"; "The DGA uses the same sw2025 seed"

The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback... exfiltrates data via the GitHub API with DNS tunneling as a secondary channel.

"...with DNS tunneling as a fallback method."

It then exfiltrates all collected data... through three channels in cascade: HTTPS POST to a Cloudflare Worker..., authenticated GitHub API uploads to threat actor-created private repositories..., and DNS tunneling...

"adds GitHub API exfiltration with DNS fallback"; "authenticated GitHub API uploads to threat actor-created private repositories"

"...exfiltrates them via HTTP POST request to a Cloudflare Worker."

The payload also implements a Shai-Hulud-style dead switch... triggers home directory wiping when the malware simultaneously loses access to GitHub for exfiltration and npm for propagation or operation... When enabled, it would securely destroy all writable files in the user's home directory...