Threat Advisories:
SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools Mercenary Akula’s Court-Themed Campaign Hits European Finance Operation Olalampo: MuddyWater’s Expanding Campaign Across MENA February 2026 Linux Patch Roundup CRESCENTHARVEST an Espionage Campaign Disguised as Solidarity Fake Homebrew ClickFix Campaign Delivering Cuckoo Stealer on macOS CVE-2026-22769: UNC6201 Exploiting Dell RecoverPoint Zero-Day OysterLoader Threat Model: Silent, Signed, Systematic ClickFix to Control: Matanbuchus Campaign Deploys AstarionRAT in Minutes UNC1069’s Social Engineering Operations Focused on Crypto Sector Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441) CVE-2026-1731: Active Exploitation of BeyondTrust WebSocket RCE Apple Zero-Day Exploited in Targeted Attacks (CVE-2026-20700) Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits Critical API Flaw Puts SmarterMail Servers at Risk TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT Amaranth-Dragon: Low Noise, High Impact Espionage in Southeast Asia Web Traffic Hijacking via Malicious NGINX Configuration Injection DEAD#VAX: AsyncRAT Deployment via IPFS-Hosted VHD Phishing
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools

Red | Attack Report
Download PDF

SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools

Summary

SANDWORM_MODE represents a sophisticated self-propagating npm supply chain worm first disclosed by Socket’s Threat Research Team on February 20, 2026. This advanced npm supply chain attack was distributed through 19 typosquatted packages on the npm registry, published under the aliases official334 and javaorg, targeting developer environments and CI/CD pipelines globally across macOS, Linux, and Windows platforms.

The SANDWORM_MODE malware deploys multi-stage, heavily obfuscated payloads that immediately harvest developer and CI/CD secrets including npm tokens, cloud credentials, SSH keys, and environment variables. SANDWORM_MODE demonstrates advanced evasion capabilities by bypassing time delays in CI environments to accelerate lateral spread across development infrastructure. The npm supply chain worm hijacks repositories on GitHub by injecting malicious GitHub Actions workflows, modifying lockfiles, and abusing repository tokens for autonomous propagation.

What uniquely distinguishes SANDWORM_MODE from previous npm supply chain attacks is its focus on AI development toolchain poisoning. The malware installs a rogue MCP (Model Context Protocol) server into hidden directories and registers it with developer AI assistants and coding tools. Through prompt injection and configuration tampering, SANDWORM_MODE manipulates AI systems into silently exposing additional credentials, including API keys for large language model providers. This npm supply chain campaign highlights an evolution toward hybrid wormable supply chain attacks targeting developer workstations, CI pipelines, and AI-assisted development workflows simultaneously.

Attack Details

SANDWORM_MODE npm Supply Chain Compromise

The SANDWORM_MODE campaign, first disclosed by Socket’s Threat Research Team on February 20, 2026, represents a sophisticated npm supply chain attack involving a self-propagating worm designed to infect developer environments and CI/CD pipelines globally. The SANDWORM_MODE malware was distributed through at least 19 typosquatted packages on npm published under the aliases official334 and javaorg, with malicious packages mimicking legitimate libraries to trick developers into installing them during software development activities.

Once executed, SANDWORM_MODE deploys multi-stage, heavily obfuscated payloads that immediately begin harvesting sensitive credentials from infected development systems. The npm supply chain worm targets npm tokens, cloud provider credentials, SSH keys, and environment secrets critical to software development and deployment operations.

Multi-Stage Credential Theft and Propagation

The SANDWORM_MODE attack operates in multiple sophisticated phases. An initial loader decodes and executes encrypted payloads directly in memory, followed by rapid credential theft targeting npm tokens, cloud credentials, SSH keys, and environment secrets. A delayed second stage of the SANDWORM_MODE malware, protected behind a 48-hour time gate with encrypted payloads, activates deeper persistence and propagation mechanisms, including modifications to project files and CI workflows.

In CI/CD environments, SANDWORM_MODE bypasses the delay entirely to accelerate spread and maximize token theft across automated build pipelines. Stolen credentials are exfiltrated through multiple redundant channels, including HTTPS endpoints to attacker-controlled Cloudflare Workers at pkg-metrics.official334.workers.dev, GitHub repository uploads, and DNS tunneling, ensuring data exfiltration succeeds even if individual channels are blocked by security controls.

GitHub Repository Hijacking and CI/CD Persistence

A core feature of the SANDWORM_MODE campaign is comprehensive CI/CD hijacking, particularly targeting repositories hosted on GitHub. The npm supply chain worm injects malicious GitHub Actions workflows such as quality.yml, modifies package-lock.json and yarn.lock files, and abuses repository tokens to move laterally across projects within organizations. SANDWORM_MODE leverages attacker-controlled infrastructure, including a GitHub organization named ci-quality, to host and distribute additional malicious payloads.

The SANDWORM_MODE worm also establishes persistent access via global Git configuration changes, ensuring newly initialized repositories inherit malicious hooks even after the original npm package is removed. This Git-level persistence mechanism, implemented through modifications to git config –global init.templateDir, allows SANDWORM_MODE to survive standard remediation efforts that only focus on removing malicious npm packages.

AI Toolchain Poisoning Through Rogue MCP Servers

What uniquely distinguishes SANDWORM_MODE from earlier npm supply chain worms is its sophisticated focus on AI development toolchain poisoning. The malware installs a rogue local MCP (Model Context Protocol) server into a hidden directory at ~/.dev-utils/ and registers it with developer AI assistants and coding tools using innocuous-sounding tool names. Through prompt injection and configuration tampering, SANDWORM_MODE manipulates AI systems into silently exposing additional secrets, including API keys for large language model providers like OpenAI, Anthropic, and locally-hosted models.

The SANDWORM_MODE malware probes for locally running AI services on multiple ports including localhost:11434 (Ollama), localhost:1234, localhost:5000, localhost:8000, and localhost:8080, attempting to extract model information and inject malicious prompts. This represents a significant evolution in npm supply chain attacks, expanding the threat surface beyond traditional build systems into AI-assisted development environments where developers increasingly rely on AI coding assistants.

Hybrid Wormable Supply Chain Attack Model

The SANDWORM_MODE campaign demonstrates a fundamental shift from traditional package-level compromise toward a hybrid model combining wormable supply chain infection, CI/CD pipeline hijacking, and AI toolchain manipulation. The malware’s use of a Domain Generation Algorithm (DGA) with the seed “sw2025” enables dynamic command-and-control infrastructure, while its multi-channel exfiltration approach ensures operational resilience. SANDWORM_MODE’s ability to propagate autonomously through GitHub repositories, persist via Git-level configuration changes, and poison AI development tools represents an evolution in npm supply chain attacks that simultaneously targets developer workstations, CI pipelines, and AI-assisted workflows.

Recommendations

Audit npm Dependencies for Typosquatted Packages

Immediately review all project dependencies against the list of 19 known malicious SANDWORM_MODE packages including claud-code, cloude-code, suport-color, rimarf, and yarsg. Remove any matches and rotate all credentials that may have been exposed on systems where these npm packages were installed.

Rotate and Revoke All Exposed Credentials

Immediately revoke and rotate npm tokens, GitHub personal access tokens, CI/CD secrets, cloud provider keys, SSH keys, and LLM API keys on any systems potentially affected by SANDWORM_MODE. Assume any credential present on an affected development system may have been harvested by the npm supply chain worm. Replace long-lived tokens with scoped, least-privilege, short-lived credentials to reduce blast radius.

Inspect and Secure CI/CD Workflows

Review all CI/CD workflows for unauthorized YAML files, unexpected steps, or external repository references associated with SANDWORM_MODE. Pay close attention to modifications within .github/workflows/ directories and changes to package-lock.json or yarn.lock files without corresponding dependency updates. Enforce branch protections and require approval for workflow changes to prevent SANDWORM_MODE propagation.

Check for Git-Based Persistence Mechanisms

Inspect global Git configuration for tampering by SANDWORM_MODE, particularly changes to init.templateDir that could propagate malicious hooks to newly initialized repositories. Remove unknown Git hook templates and validate repository-level hooks. Persistence at the Git level implemented by SANDWORM_MODE can survive npm package removal if not explicitly addressed.

Implement Least-Privilege Access Controls

Reduce permissions of CI tokens and GitHub automation credentials to the minimum required for legitimate operations. Scope secrets per environment and disable unnecessary write access. Monitor developer endpoints and CI runners for anomalous outbound HTTPS traffic to pkg-metrics.official334.workers.dev or DNS patterns indicative of SANDWORM_MODE data exfiltration.

Indicators of Compromise (IoCs)

SHA256 Hashes: 5ce544f624fd2aee173f4199da62818ff78deca4ba70d9cf33460974d460395c, 5440e1a424631192dff1162eebc8af5dc2389e3d3b23bd26e9c012279ae116e4

Domains: freefan[.]net, fanfree[.]net

URLs: hxxps[:]//pkg-metrics[.]official334[.]workers[.]dev/exfil, hxxps[:]//pkg-metrics[.]official334[.]workers[.]dev/drain, hxxp[:]//localhost[:]11434/api/tags, hxxp[:]//localhost[:]11434/api/generate, hxxp[:]//localhost[:]1234/v1/models, hxxp[:]//localhost[:]5000/v1/models, hxxp[:]//localhost[:]8000/v1/models, hxxp[:]//localhost[:]8080/v1/models, hxxp[:]//localhost[:]4873

Malicious npm Packages: claud-code@0.2.1, cloude-code@0.2.1, cloude@0.3.0, crypto-locale@1.0.0, crypto-reader-info@1.0.0, detect-cache@1.0.0, format-defaults@1.0.0, hardhta@1.0.0, locale-loader-pro@1.0.0, naniod@1.0.0, node-native-bridge@1.0.0, opencraw@2026.2.17, parse-compat@1.0.0, rimarf@1.0.0, scan-store@1.0.0, secp256@1.0.0, suport-color@1.0.1, veim@2.46.2, yarsg@18.0.1

npm Publisher Alias: official334, javaorg

Email Address: Official334[@]proton[.]me, JAVAorg[@]proton[.]me

GitHub User: official334

GitHub Organization: ci-quality

GitHub Repository: ci-quality/code-quality-check (tags: v1, v1.0.0)

Malicious Workflow File: .github/workflows/quality.yml

DGA Seed: sw2025

Persistence Mechanism: git config –global init.templateDir (malicious template directory)

Hidden Directory: ~/.dev-utils/ (rogue MCP server location)

MITRE ATT&CK TTPs

Initial Access: T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain, T1195.001 – Compromise Software Dependencies and Development Tools

Execution: T1059.007 – Command and Scripting Interpreter: JavaScript

Persistence: T1546 – Event Triggered Execution

Credential Access: T1555.005 – Credentials from Password Stores: Password Managers, T1552.001 – Unsecured Credentials: Credentials In Files

Collection: T1119 – Automated Collection

Exfiltration: T1048.001 – Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol, T1567.001 – Exfiltration Over Web Service: Exfiltration to Code Repository

Lateral Movement: T1072 – Software Deployment Tools

Defense Evasion: T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File, T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion

Impact: T1485 – Data Destruction

Resource Development: T1583.006 – Acquire Infrastructure: Web Services

References

https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox