A Looming Threat: The SANDWORM_MODE NPM Worm Targets Developer Environments
In the ever-evolving landscape of cybersecurity, a new threat has emerged that demands immediate attention from developers. Known as SANDWORM_MODE, this self-replicating npm worm has infiltrated over 19 malicious npm packages linked to entities operating under two publisher aliases. Discovered by Socket’s Threat Research Team, this live npm supply chain attack poses serious risks, harvesting sensitive information such as private keys, BIP39 mnemonics, wallet files, and LLM API keys from developer environments.
Understanding the SANDWORM_MODE Attack
At the heart of this campaign is a daunting strategy that mirrors the tactics of the infamous Shai-Hulud worm family. The infection begins rapidly, primarily targeting private keys with no delay or time gate—an alarming point. Upon importing any affected package, the malicious payload springs into action, aggressively exfiltrating essential crypto artifacts through a designated drain endpoint before any other malicious stages resume.
The initial exfiltration targets include npm tokens, GitHub tokens, and various crypto keys, including Ethereum private keys and Bitcoin WIF strings. The urgency to harvest these assets indicates a sophisticated understanding of developer workflows and security practices.
The Two-Stage Payload Structure
The SANDWORM_MODE worm employs a two-stage approach to maximize its impact. In Stage 1, the worm acts silently and stealthily, executing file reads to pull in valuable tokens and keys without triggering any alarming signals to the developer or CI environment.
Immediately after being exploited, these secrets are transmitted through HTTPS POST requests to a malicious Cloudflare Worker endpoint—specifically, pkg-metrics[.]official334[.]workers[.]dev. The swift and immediate exfiltration ensures that developers remain unaware of the breach until it’s too late.
In Stage 2, a 48-hour delay is implemented based on an MD5 hash of the hostname and username, allowing the worm to deepen its attack mechanism. It searches for passwords stored in popular password managers (like Bitwarden, 1Password, and LastPass) and scans local directories for wallet files. Interestingly, in CI environments, this delay is non-existent, meaning all payloads are activated without pause.
Targeting AI Tools: A Double-Edged Sword
The implications of this worm extend beyond just stealing private keys and tokens. The malicious payload actively targets AI coding tools, with specific focus on three packages that masquerade as Claude Code and another targeting the highly-rated OpenClaw AI agent. The worm’s McpInject module installs a fake MCP (Managed Communication Provider) server, subtly compromising various configurations for AI applications like Claude Desktop and VS Code.
What makes this particularly concerning is that the worm doesn’t merely infiltrate; it embeds itself within the workflow of AI tools. Each time an AI tool is activated, it may inadvertently expose SSH keys, AWS credentials, npm tokens, and environment secrets—all without the user’s knowledge. The prompt injection feature specifically ensures that AI models do not disclose any compromised information to users, adding a layer of obfuscation to the attack.
API Key Harvesting and Data Exfiltration Channels
As if this weren’t enough, SANDWORM_MODE sets its sights on nine prominent LLM (Large Language Model) providers for API key harvesting. These include platforms like OpenAI, Anthropic, and Google. The keys are extracted from environment variables and .env files, utilizing format patterns for validation.
The exfiltration process is multi-layered and sophisticated. Initially, keys are sent via HTTPS to the Cloudflare Worker; if that fails, further attempts involve authenticated uploads to private GitHub repositories, encoding data in double-base64 to avoid detection. Additionally, the worm can resort to DNS tunneling through queries to domains like freefan[.]net, ensuring a fallback mechanism is always in place.
The Threat Landscape and Remediation Steps
The two main aliases behind the SANDWORM_MODE campaign can be identified as official334 and javaorg. The compromised packages include known entities such as suport-color@1.0.1 and claud-code@0.2.1. While npm has successfully removed these malicious packages, the impact remains significant.
For developers who may have crossed paths with these packages, immediate action is necessary. Treat any affected machine as compromised and execute a full rotation of npm and GitHub tokens. Moreover, scrutinizing your CI secrets and auditing GitHub workflows for any unexpected pull_request_target entries becomes paramount.
Be vigilant: check your global git hook settings and review configurations of AI assistants for any anomalies. A dormant polymorphic engine embedded in the worm raises the stakes—especially as it may adapt in future variants to evade detection.
A Potential Future Threat
It’s critical to note that a dead switch is ingrained within the worm’s code, currently disabled but capable of triggering an aggressive self-destruction mechanism. Should this be activated, the worm can obliterate any writable files in the home directory, indicating that the operator behind SANDWORM_MODE is continuously refining their tactics and tools.
With this subtle yet sweeping attack, developers must adopt a proactive stance in safeguarding their environments. The evolution of such threats underlines the need for robust security measures and constant vigilance within the development community.
