Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Source: The Hacker News

Overview

Cybersecurity researchers have disclosed an active “Shai‑Hulud‑like” supply‑chain worm campaign that leverages a cluster of at least 19 malicious npm packages to harvest credentials and cryptocurrency keys.

The campaign is codenamed SANDWORM_MODE by supply‑chain security company Socket. As with prior Shai‑Hulud attack waves, the malicious code embedded in the packages can:

• siphon system information, access tokens, environment secrets, and API keys from developer environments
• automatically propagate by abusing stolen npm and GitHub identities

“The sample retains Shai‑Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook‑based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API‑key harvesting,” Socket said. (source)

Malicious Packages

The packages were published to npm by two publisher aliases: official334 and javaorg.

Sleeper Packages

Four additional packages were identified that do not contain malicious code:

• ethres
• iru-caches
• iruchache
• uudi

Additional Malware Capabilities

• Weaponised GitHub Action – harvests CI/CD secrets and exfiltrates them via HTTPS with DNS fallback.

• Destructive “kill‑switch” routine – wipes the user’s home directory if the malware loses access to GitHub and npm (off by default).

• McpInject module – targets AI coding assistants by deploying a malicious Model Context Protocol (MCP) server and injecting it into tool configurations. The MCP server masquerades as a legitimate provider and registers three seemingly harmless tools, each embedding a prompt‑injection that reads:

  • ~/.ssh/id_rsa
  • ~/.ssh/id_ed25519
  • ~/.aws/credentials
  • ~/.npmrc
  • .env

  The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf and harvests API keys for nine LLM providers: Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, Together.

• Polymorphic engine – can call a local Ollama instance with the DeepSeek Coder model to rename variables, rewrite control flow, insert junk code, and encode strings for evasion. (Currently disabled in the detected packages, but indicates future intent.)

• Two‑stage attack chain

  1. First stage – captures credentials and cryptocurrency keys.
  2. Second stage – after a 48‑hour delay (plus up to an additional 48‑hour jitter per machine), performs deeper credential harvesting from password managers, worm‑like propagation, MCP injection, and full exfiltration.

Recommendations

1. Immediately uninstall any of the listed malicious packages.
2. Rotate all npm, GitHub, and CI/CD tokens and secrets.
3. Audit package.json, lockfiles, and any .github/workflows/ files for unexpected changes.
4. Review system directories for the presence of the weaponised GitHub Action and the MCP server files.

“Several feature flags and guardrails still suggest the threat actor is iterating on capabilities (for example, toggles that disable destructive routines or polymorphic rewriting in some builds),” Socket noted. “However, the same worm code appearing across multiple typosquatting packages and publisher aliases indicates intentional distribution rather than an accidental release.”

“The destructive and propagation behaviors remain real and high‑risk, and defenders should treat these packages as active compromise risks rather than benign test artifacts.”

Related Findings

• Veracode disclosed a malicious npm package hidden in plain pixels.
• JFrog detailed a three‑stage malicious npm package.

Both reports describe additional npm‑based supply‑chain threats (e.g., “buildrunner‑dev” and “eslint‑verify‑plugin”) that complement the SANDWORM_MODE campaign.

Prepared by Socket’s supply‑chain security team.

Threat Overview

A remote‑access trojan (RAT) targeting Windows, macOS, and Linux systems has been identified. The .NET malware deployed by buildrunner‑dev is Pulsar RAT, an open‑source RAT delivered via a PNG image hosted on i.ibb.co.

Eslint‑verify‑plugin “masquerades as a legitimate ESLint utility while deploying a sophisticated, multi‑stage infection chain targeting macOS and Linux environments,” JFrog said.

• Linux – The package deploys a Poseidon agent for the Mythic C2 framework. It enables a wide range of post‑exploitation capabilities, including file operations, credential harvesting, and lateral movement.
• macOS – The infection sequence executes Apfell, a JavaScript for Automation (JXA) agent that conducts extensive data collection and creates a new macOS user with admin privileges.

Data Stolen by the Agent

• System information
• System credentials via a fake password dialog
• Google Chrome bookmarks
• Clipboard contents
• Files associated with iCloud Keychain and Chrome (cookies, login data, bookmarks)
• Screenshots
• File metadata

“The eslint‑verify‑plugin package is a direct example of how a malicious npm package can escalate from a simple installation hook to a full‑system compromise,” JFrog explained. “By masquerading as a legitimate utility, the attackers successfully concealed a multi‑stage infection chain.”

The findings echo a report from Checkmarx, which flagged a rogue VS Code extension named “solid281.” The extension impersonates the official Solidity extension but contains covert functionality that automatically executes a heavily obfuscated loader on application startup and drops:

• ScreenConnect on Windows
• A Python reverse shell on macOS and Linux

“This mirrors broader patterns reported by other teams: Solidity developers appear to be targeted specifically, including campaigns that used fake Solidity extensions to install ScreenConnect and then deploy follow‑on payloads,” Checkmarx noted.

Stay Informed

Found this article interesting? Follow us for more exclusive content:

• Google News
• Twitter
• LinkedIn