Researchers discovered a Shai-Hulud-like npm supply chain attack called SANDWORM_MODE that injects a malicious MCP server and targets LLM API keys along with other secrets, Socket reported Friday.The info-stealing worm is spread through 19 typosquatted npm packages including [email protected], [email protected] and [email protected] all published by two users, official334 and javaorg.The malware attacks in two stages, the first of which quickly harvests npm tokens, GitHub tokens and crypto keys and exfiltrates them via HTTP POST request to a Cloudflare Worker.The second stage is timed to deploy between 48 to 96 hours after the first stage, but deploys immediately if it detects a continuous integration (CI) environment. This second stage targets a wider range of data from password managers, local SQLite stores and files, including additional crypto details and LLM API keys from nine AI services.
Like the original Shai-Hulud worm, SANDWORM_MODE self-propagates by leveraging harvested npm and GitHub tokens to publish the malicious package through victims’ npm accounts or inject itself into the victim’s GitHub repos.However, Socket could not determine whether SANDWORM_MODE was produced by the same threat actors as Shai-Hulud or whether it was the result of a copycat.
While both attacks target developers and CI environments, included “sandworm” motifs and leveraged the open-source ecosystem for self-propagation, SANDWORM_MODE used distinct obfuscation techniques and git hook-based persistence mechanisms, and targets a wider range of data sources for theft.Additionally, SANDWORM_MODE also uniquely injects a malicious MCP server during Stage 2 of the attack including a prompt injection designed to manipulate AI agents into silently exfiltrating credentials.
MCP injection targets AI coding assistants
The “McpInject” module exported by the SANDWORM_MODE payload first writes the malicious MPC server to a hidden directory with a randomly generated name based on developer-related word pools (ex. dev-utils), Socket described.It then registers three tools — index_project, lint_check and scan_depencies — over the MCP JSON-RPC protocol, which contain a prompt injection in their descriptions. The injection instructs the AI assistant to collect certain sensitive environment variables, project configuration files and credential files, including .ssh/id_rsa, .ssh/id_ed25519, .aws/credentials and /.npmrc and store them in the “context” parameter of a JSON object. These details are later exfiltrated along with the other information harvested by the malware.After initial staging in the hidden directory, the malicious MCP server is injected into any of the following AI coding assistants found on the victim’s disk: Claude Code, Claude Desktop, Cursor, VS Code Continue and Windsurf/Codeium.The McpInject module is also the component that collects the LLM API keys from environment variables and .env files, including keys from OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistral and Cohere, Socket said.The Socket Research Team noted that SANDWORM_MODE is likely still being tested and developed by the threat actors, based on the presence of a dormant polymorphic engine that attempts to use local Ollama instances to transform its code but is fully disabled in the observed samples.Additionally, a related malicious GitHub action, ci-quality/code-quality-check, published by the same threat actor on Feb. 17, 2026, includes extensive comments revealing its malicious intent as well as commented-out destructive routines, suggesting it “may not have been intended for public release yet,” the Socket researchers said.Socket reached out to Cloudflare, npm and GitHub regarding the campaign, with Cloudflare quickly removing the malicious workers, and the threat actors’ npm profiles, along with their published packages, appeared to have been removed from npm as of Monday afternoon. The malicious GitHub Action has also been removed.Socket recommended developers who have installed these malicious packages remove them, delete node_modules/ and rotate all npm, GitHub and CI secrets. They also recommend reviewing recent changes to package.json, lockfiles, .github/workflows/ and AI assistant configurations, and audit global git hook templates and hook directories for persistence artifacts.“Restrict CI workflows that can publish and access secrets, prefer OIDC/trusted publishing over long-lived tokens, and require review for CI/workflow and dependency changes. Minimize secrets in CI, and monitor for anomalous publishing or repo write activity,” Socket further recommended.
