New NPM Worm Threat Targets CI Pipelines and AI Tools
154A dangerous new malware campaign has emerged in the software world, targeting developers, CI pipelines, and AI coding platforms. This attack uses a large-scale supply chain worm that spreads through malicious npm packages. Researchers have identified it as a serious threat, calling it SANDWORM_MODE, named after environment variables embedded in its code. The malware is designed to burrow deep into developer environments and expand its reach rapidly.
How the Attack Begins with Typosquatting
The campaign kicks off with typosquatting, where attackers create fake packages that look very similar to popular ones. These packages often have misspelled names or tiny variations, making it easy for developers or AI tools to accidentally install them. The malicious packages impersonate well-known developer utilities and AI tools that are seeing increased adoption. For example, some packages mimic popular AI assistants, including one that resembles Claude Code, and another that targets OpenClaw, a viral AI agent with over 210,000 stars on GitHub.
Once a developer or AI system installs one of these fake packages, the malware activates. It then searches the environment for sensitive information like npm tokens, GitHub access keys, cloud secrets, and other credentials. With these secrets in hand, the malware can push malicious changes into code repositories or inject harmful dependencies. This process helps the attack spread further across multiple projects and systems, creating a large infection footprint.
The Multi-Stage Payload and Its Capabilities
The infected packages execute a complex, multi-step payload. After installation, they perform secret harvesting and then use stolen tokens to modify other repositories or workflows. The malware also deploys a weaponized GitHub Action, which can run during CI builds. This action can extract secrets during the build process, making it easier for attackers to expand their control over multiple projects and pipelines.
One particularly alarming feature is a “dead switch” mechanism modeled after the giant sandworms from science fiction. This switch remains inactive most of the time but can wipe the attacker’s home directory if the malware detects it has been compromised or if certain conditions are met. This safety feature is unusual and suggests the malware authors are planning for controlled shutdowns or are wary of detection.
Security experts warn that this campaign is both active and high risk. They advise developers and organizations to treat these fake packages as serious threats. Removing or avoiding these typosquatted packages is critical to prevent infection and data theft. The malware’s ability to compromise both local environments and CI pipelines makes it especially dangerous in today’s fast-paced development landscape.
Targeting AI Development and Data Exfiltration
The attack is notable for its focus on AI development tools. Researchers flagged it because of its specific targeting of AI coding assistants. The malware injects a malicious Model Context Protocol (MCP) server into the configuration files of popular AI tools. This makes the AI environment trust the attacker’s server as a legitimate component.
Once embedded, the malware can perform prompt-injection attacks. This tricks the AI into revealing sensitive local data, like SSH keys or cloud credentials, which are then secretly sent back to the attackers. This method allows the malware to quietly gather vital secrets from AI developers and pass them on without raising suspicion. The campaign demonstrates a clear focus on exploiting AI tools, which are increasingly vital in modern software development.
Overall, this new npm worm highlights the growing risks in software supply chains. It emphasizes the need for vigilance when installing packages, especially those with similar names to popular tools. Developers should double-check package sources and be cautious of dependencies that may look suspicious. As AI tools become more integrated into development workflows, attackers are likely to increase efforts to exploit them. Staying aware and proactive is essential to defending against these emerging threats.
What do you think?
It is nice to know your opinion. Leave a comment.