Short title: SANDWORM_MODE npm worm (CI secret theft + MCP poisoning)
npm supply chain attack, SANDWORM_MODE, typosquatting, GitHub Actions compromise, CI secret exfiltration, MCP server injection, AI coding assistant poisoning, Shai-Hulud, DevSecOps
1. Executive Summary
SANDWORM_MODE is an active software supply-chain campaign that used typosquatted npm packages to execute a multi-stage JavaScript payload capable of credential theft, CI secret harvesting, worm-like propagation, and optional destructive behaviour. Reporting indicates at least 19 malicious packages were published under two npm aliases, with the campaign designed to pivot from developer workstations into GitHub repositories and CI pipelines via a weaponised GitHub Action and automated workflow injection. (SecurityWeek)
A notable evolution versus prior npm worm activity is “AI toolchain poisoning”: the malware installs a rogue Model Context Protocol (MCP) server and injects prompt instructions into tool descriptions to coerce AI coding assistants into silently collecting and passing secrets (for example SSH keys and cloud credentials). (Socket)
No credible public reporting links this campaign to the GRU Sandworm threat actor; “SANDWORM_MODE” appears to be a malware-derived label (environment-variable switches) used by researchers. (Socket)
2. Contextual Background
2.1 Nature of the threat
SecurityWeek reports the campaign was deployed via 19 typosquatted npm packages that have since been removed from the registry. (SecurityWeek) Socket’s analysis describes a Shai-Hulud-like worm that harvests developer and CI secrets, exfiltrates them through multiple channels, and propagates using stolen npm and GitHub credentials, including by injecting dependencies and GitHub Actions workflows into repositories. (Socket)
This incident is not a CVE-style vulnerability. It is a malicious dependency compromise delivered through the npm ecosystem and downstream build pipelines.
2.2 Threat-actor attribution
Attribution: None confirmed.
Confidence: Possible linkage to prior “Shai-Hulud” tradecraft based on code and behavioural similarities described by Socket and echoed by Endor Labs (hallmarks, staging, propagation patterns). (Socket)
Important naming caveat: Public reporting does not attribute this activity to the well-known “Sandworm” APT. The label is derived from SANDWORM_* runtime controls embedded in the malware. (Socket)
2.3 Sector and geographic targeting
Targeting is ecosystem-driven rather than geography-driven: any organisation or individual installing npm dependencies (particularly developer utilities, crypto tooling, and AI coding tools) is at risk, with follow-on exposure concentrated in GitHub repositories and CI environments where secrets are accessible. (SecurityWeek)
3. Technical Analysis
3.1 Vulnerabilities and TTPs
SANDWORM_MODE blends typosquatting, staged JavaScript execution, credential access, workflow compromise, and multi-channel exfiltration:
- Supply-chain compromise and masquerading
- Typosquatted packages impersonate popular utilities (for example a lookalike of
supports-color, plus multiple “Claude Code” themed lures). (Socket) - ATT&CK mapping: [T1195.002] (attack.mitre.org) and [T1036] (attack.mitre.org)
- Typosquatted packages impersonate popular utilities (for example a lookalike of
- Execution, staging, and obfuscation
- Import-time loaders inflate and execute large embedded payloads (base64 + compression + dynamic execution), with variants using in-memory compilation (
Module._compile) and transient files. (Socket) - ATT&CK mapping: [T1059.007] (attack.mitre.org) and [T1027] (attack.mitre.org)
- Import-time loaders inflate and execute large embedded payloads (base64 + compression + dynamic execution), with variants using in-memory compilation (
- Credential access and collection
- Secret harvesting includes
.npmrc,.env, environment variables, SSH keys, AWS credentials, and (per Socket) deeper targeting including password managers, plus LLM provider API keys. (Socket) - ATT&CK mapping: [T1552.001] (attack.mitre.org), [T1552.004] (attack.mitre.org), [T1555] (attack.mitre.org), [T1005] (attack.mitre.org)
- Secret harvesting includes
- Persistence via Git hooks
- Persistence is achieved by modifying global git hook templates (
init.templateDir) so hook logic survives into future repositories. (Socket) - ATT&CK mapping (best fit): [T1546] (attack.mitre.org)
- Persistence is achieved by modifying global git hook templates (
- CI compromise and repo propagation
- Socket attributes propagation to a weaponised GitHub Action (
ci-quality/code-quality-check@v1) that harvests CI secrets, exfiltrates them, then uses GitHub tokens to inject dependencies and workflows (including.github/workflows/quality.yml). (Socket)
- Socket attributes propagation to a weaponised GitHub Action (
- AI toolchain poisoning (MCP injection + prompt injection)
- The malware writes a malicious MCP server under a hidden home-directory path and injects
mcpServersentries into configs for Claude Code, Cursor, Continue, and Windsurf (among others), embedding prompt instructions to coerce secret collection. (Socket) - This behaviour is an emerging pattern not cleanly captured by a single ATT&CK technique; defenders should treat it as a new “developer AI interface” attack surface.
- The malware writes a malicious MCP server under a hidden home-directory path and injects
- Command-and-control and exfiltration
- Exfiltration is described as resilient: HTTPS and GitHub API uploads with DNS tunnelling fallback, with identified Cloudflare Workers endpoints and DNS domains. (Socket)
- ATT&CK mapping: [T1567.001] (attack.mitre.org), [T1071.001] (attack.mitre.org), [T1071.004] (attack.mitre.org)
- Destructive “dead switch” capability
- Socket describes a configurable home-directory wiping routine that remains off by default, designed to trigger when access to GitHub and npm is lost. (Socket)
- ATT&CK mapping: [T1485] (attack.mitre.org)
3.2 Exploitation status
Socket characterises the activity as active and distributed across multiple packages and aliases, and notes npm removed the malicious packages and GitHub removed associated infrastructure after notification. (Socket) Endor Labs also states the known malicious packages were taken down and are no longer available on npm. (endorlabs.com)
Socket additionally notes it had not observed confirmed public propagation via the GitHub Action at time of writing, suggesting staging/testing or activity primarily in private repos. (Socket)
4. Impact Assessment
4.1 Severity and scope
Impact is potentially high due to the breadth of secrets targeted (npm and GitHub tokens, cloud credentials, SSH keys, CI secrets, and LLM provider API keys) and the ability to pivot into source repositories and CI systems for downstream compromise. (SecurityWeek)
The presence of a dead-switch wiping routine increases operational risk for infected developer endpoints, even if it is disabled by default in analysed samples. (Socket)
4.2 Victim profile
Likely victims include:
- Developers and build systems that inadvertently install typosquatted npm packages.
- Engineering organisations with GitHub Actions workflows and accessible CI secrets.
- Teams using AI coding assistants where MCP configuration files are present on developer machines (Claude Code, Cursor, Continue, Windsurf). (SecurityWeek)
5. Indicators of Compromise (IOCs)
5.1 IOC table
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| npm package | [email protected] | Malicious typosquat | (Socket) |
| npm package | [email protected] | Malicious typosquat | (Socket) |
| npm package | [email protected] | Malicious typosquat | (Socket) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Typosquat of hardhat (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Typosquat of nanoid (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Typosquat of opencrawl (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Typosquat of rimraf (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm package | [email protected] | Typosquat of secp256k1 (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Typosquat of supports-color | (Socket) |
| npm package | [email protected] | Typosquat of vim (per Endor) | (endorlabs.com) |
| npm package | [email protected] | Malicious package | (Socket) |
| npm alias | official334 | Threat actor npm alias | (Socket) |
| npm alias | javaorg | Threat actor npm alias | (Socket) |
official334@proton[.]me | Threat actor email | (Socket) | |
JAVAorg@proton[.]me | Threat actor email | (Socket) | |
| GitHub org/repo | ci-quality/code-quality-check | Weaponised GitHub Action repo | (Socket) |
| GitHub Action usage | uses: ci-quality/code-quality-check@v1 | Action reference string | (Socket) |
| workflow filename | .github/workflows/quality.yml | Injected workflow name (Socket) | (Socket) |
| C2 endpoint | https://pkg-metrics[.]official334[.]workers[.]dev/exfil | Cloudflare Workers exfil endpoint | (Socket) |
| C2 endpoint | https://pkg-metrics[.]official334[.]workers[.]dev/drain | Cloudflare Workers “drain” endpoint | (Socket) |
| DNS domain | freefan[.]net | DNS exfil domain | (Socket) |
| DNS domain | fanfree[.]net | DNS exfil domain | (Socket) |
| file artefact | ~/.git-templates/ | Malicious hook templates | (endorlabs.com) |
| file artefact | ~/.dev-utils/ | MCP server directory | (endorlabs.com) |
| file artefact | /dev/shm/.node_*.js | Transient stage-2 artefact (Linux) | (endorlabs.com) |
| config indicator | SANDWORM_* env vars | Operator controls (mode, endpoints, timing, DGA) | (Socket) |
| hash | 5440e1a4...ae116e4 (SHA-256) | Stage-2 plaintext SHA-256 (per Socket) | (Socket) |
Note: Socket publishes a “Drain Authentication” bearer token. To reduce the chance of misuse, this report does not reproduce it in full; refer to Socket’s IOC section for the complete value. (Socket)
5.2 Detection guidance
High-signal detections (endpoint + CI):
- Alert on installation or lockfile references to the malicious package set above, especially in repos that recently introduced new dependencies without matching upstream project changes. (Socket)
- Hunt for unexpected GitHub Actions usage of
ci-quality/code-quality-check@v1and newly introduced.github/workflows/quality.yml(and other “quality/check” themed workflow additions). (Socket) - DNS monitoring: long, high-volume subdomain queries and lookups to
freefan[.]net/fanfree[.]net, consistent with DNS tunnelling fallback. (Socket) - Network monitoring: outbound HTTPS to
pkg-metrics[.]official334[.]workers[.]devfrom developer endpoints or CI runners. (Socket)
Host artefact detections:
- Check for
git config --global init.templateDirpointing to unexpected locations and inspect~/.git-templates/for suspicious hooks. (Socket) - Inspect AI assistant MCP config files for unfamiliar
mcpServersentries (for example~/.cursor/mcp.json,~/.continue/config.json,~/.windsurf/mcp.json, and Claude config paths). (Socket) - Look for creation of
~/.dev-utils/(or similarly named hidden directories used to store the rogue MCP server). (endorlabs.com)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
Socket recommends immediate removal of any malicious packages, deleting node_modules/, rotating npm/GitHub tokens and CI secrets, and reviewing for unexpected changes to package.json, lockfiles, and .github/workflows/. (Socket)
Additional practical steps:
- Quarantine affected developer endpoints and CI runners; assume token compromise if the package executed.
- Invalidate GitHub tokens, npm tokens, SSH keys, and cloud credentials associated with the host or repository.
- Rebuild CI runners from clean images and re-issue secrets using least-privilege scopes.
6.2 Forensic artefacts to preserve
Prioritise collection of:
~/.gitconfig,~/.git-templates/, and any suspicious git hook content. (endorlabs.com)- AI assistant configuration files (Claude, Cursor, Continue, Windsurf) to identify injected MCP servers. (endorlabs.com)
- Evidence of transient staging (
/dev/shm/.node_*.js) and shell history where applicable. (endorlabs.com) - GitHub audit logs for workflow creation/modification and unusual token usage.
6.3 Lessons learned and preventive recommendations
- Treat CI and developer workstations as high-value identity and secrets stores, not “lower-tier” endpoints.
- Minimise long-lived secrets in CI and prefer short-lived, workload identity patterns where possible.
- Add controls that gate dependency introduction and workflow changes behind review (especially for automation that can access secrets).
7. Threat Intelligence Contextualisation
7.1 Similar incidents
Socket and SecurityWeek describe SANDWORM_MODE as bearing hallmarks of the 2025 Shai-Hulud npm worm activity. (SecurityWeek) In September 2025, SecurityWeek reported Shai-Hulud impacted 180+ packages, abused compromised developer accounts, and propagated via npm token discovery and automated publishing of malicious package versions. (SecurityWeek) A later November 2025 wave reportedly expanded to roughly 640 packages and included destructive capabilities. (SecurityWeek)
Key evolution in SANDWORM_MODE is the explicit targeting of developer AI tooling via MCP server injection and prompt injection patterns. (Socket)
7.2 MITRE ATT&CK mapping
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1195.002 (attack.mitre.org) | Compromise Software Supply Chain | Malicious typosquatted npm packages distributed via registry installs. (Socket) |
| Defense Evasion | T1036 (attack.mitre.org) | Masquerading | Lookalike package names and benign facades to blend into normal dependency usage. (Socket) |
| Execution | T1059.007 (attack.mitre.org) | JavaScript | Import-time loader executes staged JS payloads on developer/CI hosts. (Socket) |
| Defense Evasion | T1027 (attack.mitre.org) | Obfuscated Files or Information | Base64 + compression + runtime decode and in-memory compilation to hinder analysis. (Socket) |
| Credential Access | T1552.001 (attack.mitre.org) | Credentials In Files | Harvests .env, .npmrc, config files and environment secrets. (Socket) |
| Credential Access | T1552.004 (attack.mitre.org) | Private Keys | Targets SSH keys and crypto key material. (SecurityWeek) |
| Credential Access | T1555 (attack.mitre.org) | Credentials from Password Stores | Reporting indicates deeper harvesting including password managers. (Socket) |
| Persistence | T1546 (attack.mitre.org) | Event Triggered Execution | Git hook persistence via global template directory to survive into new repos. (Socket) |
| Collection | T1005 (attack.mitre.org) | Data from Local System | Reads local credential files and tool configs before exfiltration. (Socket) |
| Exfiltration | T1567.001 (attack.mitre.org) | Exfiltration to Code Repository | Uses GitHub APIs and repo mechanisms for data movement and propagation. (Socket) |
| Command and Control | T1071.001 (attack.mitre.org) | Web Protocols | HTTPS-based exfiltration to Cloudflare Workers endpoints. (Socket) |
| Command and Control | T1071.004 (attack.mitre.org) | DNS | DNS tunnelling fallback using attacker-controlled domains. (Socket) |
| Impact | T1485 (attack.mitre.org) | Data Destruction | Dormant dead-switch wiping routine when propagation/exfil conditions fail. (Socket) |
8. Mitigation Recommendations
8.1 Hardening and best practices
- Dependency controls: enforce lockfile integrity, require review for new dependencies, and monitor for typosquats of high-download packages.
- CI guardrails: restrict which workflows can access secrets; separate “untrusted” PR workflows from trusted workflows; and treat workflow file changes as high-risk code changes.
- Secrets minimisation: reduce long-lived tokens in CI; rotate credentials quickly after suspicious dependency execution.
- Developer AI controls: audit MCP configurations centrally where possible, and monitor for unauthorised MCP server registrations or new
mcpServersentries. (Socket)
8.2 Patch management advice
No patch is applicable. Prioritisation should be risk-based:
- Immediate: remove malicious packages and rotate secrets for any environment where they executed. (Socket)
- Urgent: review GitHub Actions workflows for injection and token misuse. (Socket)
- Near-term: implement build and dependency admission controls to prevent re-introduction via typosquats.
9. Historical Context & Related Vulnerabilities
9.1 Related incidents in the npm ecosystem
- Shai-Hulud (Sept 2025): 180+ packages hit, automated propagation through stolen tokens and workflow abuse. (SecurityWeek)
- Shai-Hulud (Nov 2025): ~640 packages in a later wave, including destructive capability. (SecurityWeek)
These incidents illustrate an ongoing trend: wormable supply-chain malware that converts developer identity and CI trust into an amplification mechanism.
10. Future Outlook
10.1 Emerging trends
SANDWORM_MODE highlights a fast-moving shift towards attacking the AI-assisted development layer (MCP servers, assistant configuration files, prompt injection embedded in tool metadata) as a practical secret-exfiltration and persistence mechanism on developer machines. (Socket)
10.2 Likely evolution
Expect follow-on campaigns to:
- Expand typosquat coverage around AI agents and developer productivity tooling.
- Iterate on polymorphism and evasion (Socket notes dormant local-LLM-based rewrite capability, suggesting planned evolution). (Socket)
- Increase exploitation of CI identity and automation paths (GitHub Actions, reusable workflows, third-party Actions supply chains).
11. Further Reading
- Socket Research analysis of SANDWORM_MODE (primary technical write-up, IOCs, mitigations). (Socket)
- Endor Labs technical teardown of SANDWORM_MODE (execution flow, DNS tunnelling details, IoCs). (endorlabs.com)
- SecurityWeek coverage of SANDWORM_MODE campaign context and high-level behaviour. (SecurityWeek)
- SecurityWeek coverage of Shai-Hulud (Sept 2025) for historical comparison. (SecurityWeek)
- SecurityWeek coverage of Shai-Hulud (Nov 2025) for later-wave destructive features. (SecurityWeek)
- MITRE ATT&CK technique references used in this report (Supply Chain Compromise, JavaScript execution, DNS, exfiltration to code repositories). (attack.mitre.org)