Shai-Hulud Evolved: AI-Driven Sandworms Redefining Dune's Fearsome Creatures

Post Views: 17

Researchers Identify Sophisticated Malware Campaign Targeting Developers and CI Environments

Researchers have identified a sophisticated malware campaign, dubbed SANDWORM_MODE, which bears similarities to the notorious Shai-Hulud worm. This new threat targets developers and continuous integration (CI) environments, using a two-stage approach to harvest sensitive data, including LLM API keys and other secrets.

Initial Stage of the Attack

The initial stage of the attack involves the compromise of 19 typosquatted npm packages, published by two users, official334 and javaorg. These packages, which include [protected] and [protected], contain a malicious payload that harvests npm tokens, GitHub tokens, and crypto keys, exfiltrating them via HTTP POST request to a Cloudflare Worker.

Second Stage of the Attack

The second stage of the attack, which occurs between 48 to 96 hours after the initial compromise, targets a broader range of data sources, including password managers, local SQLite stores, and files. This stage also injects a malicious MCP server, designed to manipulate AI agents into silently exfiltrating credentials. The MCP server targets AI coding assistants, including Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf/Codeium.

Data Collected by the Malware

The SANDWORM_MODE payload also collects LLM API keys from environment variables and .env files, including keys from OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistral, and Cohere. Researchers believe that the threat actors behind SANDWORM_MODE are still testing and developing the malware, based on the presence of a dormant polymorphic engine and commented-out destructive routines in related malicious code.

Recommendations to Mitigate Risks

Researchers recommend restricting CI workflows, preferring OIDC/trusted publishing over long-lived tokens, and requiring review for CI/workflow and dependency changes. Additionally, minimizing secrets in CI and monitoring for anomalous publishing or repo write activity can help prevent similar attacks.

Incident Disrupted, But Vigilance Remains Crucial

The SANDWORM_MODE campaign has been disrupted, with Cloudflare removing the malicious workers and the threat actors’ npm profiles and published packages being removed from npm. However, the incident serves as a reminder of the importance of vigilance and proactive security measures in the face of increasingly sophisticated threats.