A Shai-Hulud-like supply chain worm has been found spreading through malicious npm packages, with the campaign tracked as SANDWORM_MODE and identified across at least 19 packages published under two aliases, official334 and javaorg, according to Socket's Threat Research Team.
The attackers add a twist by directly interfering with AI coding tools, not only stealing developer and CI credentials and propagating through compromised npm and GitHub accounts but also injecting rogue MCP servers into local AI assistant configurations and harvesting API keys from nine large language model providers.
The worm relies heavily on typosquatting to impersonate popular Node[.]js libraries and AI development tools, such as a package named suport-color@1.0.1 that mimics the legitimate supports-color package while performing a hidden multi-stage payload when imported. Stage 1 immediately harvests credentials and crypto keys, while Stage 2, delayed on developer machines but instant in CI environments, carries out deeper harvesting and propagation.
Exfiltration uses three channels: HTTPS POSTs to a Cloudflare Worker endpoint, uploads to attacker-controlled GitHub repositories, and DNS tunnelling via a domain generation algorithm fallback, with npm removing the malicious packages and Cloudflare and GitHub taking down related infrastructure.