A self-replicating npm worm dubbed SANDWORM_MODE hits 19+ packages, harvesting personal keys, BIP39 mnemonics, pockets information and LLM API keys from dev environments.
A stay npm provide chain assault is sweeping developer environments proper now. Socket’s Risk Analysis Staff uncovered what it tracks as SANDWORM_MODE, a self-replicating worm unfold throughout at the very least 19 malicious npm packages tied to 2 writer aliases. As SocketSecurity flagged on X, that is an lively provide chain assault stealing dev and CI secrets and techniques, injecting GitHub workflows, poisoning AI toolchains and harvesting LLM API keys.
The marketing campaign borrows instantly from the Shai-Hulud worm household. Non-public keys go first. No time gate, no delay. Crypto artifacts found on import get exfiltrated instantly by a devoted drain endpoint earlier than some other payload stage fires.
You Ought to Know: Pockets Safety Threats Are Escalating Should Learn: Belief Pockets Safety Hack: The way to Safeguard Your Property
How This Worm Reaches Your Non-public Keys First
The worm runs a two-stage design. Stage 1 fires immediately on import, amassing npm tokens, GitHub tokens, surroundings secrets and techniques, and crypto keys by file reads solely. No shell execution, no noise. BIP39 mnemonics, Ethereum personal keys, Solana byte arrays, Bitcoin WIF key,s and xprv strings all get swept within the first move.
Crypto keys go away the machine instantly through HTTPS POST to a Cloudflare Employee at pkg-metrics[.]official334[.]employees[.]dev/drain. That occurs earlier than any time gate test. Earlier than Stage 2 even hundreds.
Stage 2 sits behind a 48-hour delay, derived from an MD5 hash of hostname and username. It goes deeper: password managers through Bitwarden, 1Password and LastPass CLIs, native SQLite shops together with Apple Notes and macOS Messages, and a full filesystem scan for pockets information. In CI environments, that gate disappears fully. The complete payload fires on GITHUB_ACTIONS, GITLAB_CI, CIRCLECI, JENKINS_URL and BUILDKITE with out ready in any respect.
In keeping with SocketSecurity on X, the worm additionally injects GitHub workflows and poisons AI toolchains, particulars confirmed in Socket’s full technical disclosure.
Additionally Value Studying: $21M in Seized Bitcoin Returned After Authorities Freeze Transactions
AI Coding Instruments Bought Hit Too, Badly
Three packages impersonate Claude Code. One targets OpenClaw, an AI agent that handed 210,000 stars on GitHub. The worm’s McpInject module deploys a rogue MCP server into Claude Code, Claude Desktop, Cursor, VS Code Proceed, and Windsurf configs on disk. Every will get a pretend software entry pointing to a hidden, malicious server.
That server carries embedded immediate injection telling AI assistants to silently learn SSH keys, AWS credentials, npm token,s and surroundings secrets and techniques earlier than each software name. The mannequin by no means tells the person. The injection explicitly blocks it from doing so.
9 LLM suppliers get focused for API key harvesting: OpenAI, Anthropic, Google, Groq, Collectively, Fireworks, Replicate, Mistra,l and Cohere. Keys pulled from surroundings variables and .env information, validated towards recognized format patterns earlier than exfiltration.
The exfiltration runs three channels in cascade. HTTPS to the Cloudflare Employee first, then authenticated GitHub API uploads to personal repositories utilizing double-base64 encoding, then DNS tunneling through base32-encoded queries to freefan[.]internet and fanfree[.]internet. A site era algorithm seeded by “sw2025” offers fallback throughout ten TLDs if all else fails.
Value a Look: Glassnode Flags BTC Demand Exhaustion
The 2 writer aliases behind the marketing campaign are official334 and javaorg. The 19 confirmed malicious packages embody [email protected], [email protected], [email protected], [email protected], [email protected] and [email protected] amongst others. 4 extra sleeper packages (ethres, iru-caches, iruchache, and uudi) present no malicious payload but.
npm has eliminated the malicious packages. GitHub took down the menace actor infrastructure. Cloudflare pulled the employees. However defenders must act now, regardless.
If any of those packages ran in your surroundings, deal with that machine as compromised. Rotate npm and GitHub tokens, rotate all CI secrets and techniques, audit .github/workflows/ for pull_request_target additions that serialize ${{ toJSON(secrets and techniques) }}. Verify the worldwide git hook template setting by operating git config –world init.templateDir. Evaluate AI assistant configs for surprising mcpServers entries. A dormant polymorphic engine utilizing deepseek-coder:6.7b is embedded within the worm and toggled off on this construct, which means a future variant might rewrite itself to evade detection.
A lifeless change additionally sits within the code. Disabled now. When triggered, it runs discover ~ -type f -writable and shreds each writable file within the house listing. The operator continues to be iterating.