npm Self-Spreading Malware Targets Developers in Supply Chain Attack

Post Views: 5

Malicious npm Packages Target Developers in Sophisticated Supply Chain Attack

A recent discovery by security researchers has uncovered a complex supply chain attack targeting developers, involving 19 malicious npm packages published on npmjs.com. These packages, designed to steal credentials, infect projects, and propagate themselves across developer environments, represent a rare example of worm-like malware spreading through software supply chains.

The Operation

The operation, dubbed SANDWORM_MODE, bears similarities to the self-replicating Shai-Hulud worm that appeared on the official npm registry last year. While it is unclear whether this is a direct descendant or a copycat, the use of Sandworm-themed environment variable switches suggests a connection.

The Malicious Packages

The malicious packages, published by two accounts using npm publisher aliases, impersonate popular utilities such as AI coding tools and crypto tools. Once imported by developers, the packages execute a hidden loader that decrypts embedded code, searches for and exfiltrates sensitive data, including API keys, access tokens, and cryptocurrency wallet keys.

Malware Execution and Propagation

The malware delays the execution of its second stage by 48 to 96 hours, unless it detects a continuous integration environment, in which case it foregoes this delay. The second stage module performs a deep harvest of sensitive information, including password managers, local SQLite stores, and a full filesystem scan for wallet files and crypto configs.

Data Exfiltration and Propagation

The collected data is exfiltrated through three channels: HTTPS POST to a Cloudflare Worker, authenticated GitHub API uploads, and DNS tunneling via base32-encoded queries. The malware also performs propagation actions, establishes persistence, and injects a malicious Git hook to re-infect the system in case of cleanup attempts.

Targeting AI Coding Assistants

Furthermore, the malware targets modern AI coding assistants by injecting a rogue Model Context Protocol (MCP) server into their configuration, allowing the threat actor to feed hidden instructions to the assistant and transmit sensitive files externally.

Disruption and Recommendations

The campaign’s infrastructure has been disrupted following coordinated takedown actions by the relevant providers. Developers affected by this supply chain attack are advised to remove malicious packages, rotate potentially exposed credentials, review recent changes to package.json and.git workflows, and check for persistence mechanisms.

Technical Details:

Malicious npm packages: 19 packages impersonating popular utilities
Exfiltrated data: API keys, access tokens, cryptocurrency wallet keys, password managers, local SQLite stores, and filesystem scans
Exfiltration channels: HTTPS POST, authenticated GitHub API uploads, and DNS tunneling via base32-encoded queries
Persistence mechanisms: Malicious Git hook, MCP server injection
Targeted AI coding assistants: Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf/Codeium
Affected providers: Cloudflare, GitHub, npm

Recommendations:

Remove malicious packages and delete the node_modules/ directory
Rotate potentially exposed credentials, including npm tokens, GitHub tokens, and CI/CD secrets
Review recent changes to package.json, lockfiles, and.git workflows for suspicious or unexpected additions
Check for persistence mechanisms by auditing global Git hook templates and inspecting hook directories for unfamiliar scripts