Cybersecurity

Cyber: Malicious Npm Packages Harvest Crypto Keys, Ci Secrets, And API Tokens

2026-02-23 0 views admin
Cyber: Malicious Npm Packages Harvest Crypto Keys, Ci Secrets, And API Tokens

Cybersecurity researchers have disclosed what they say is an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft.

The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket. As with prior Shai-Hulud attack waves, the malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments and automatically propagate by abusing stolen npm and GitHub identities to extend its reach.

"The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting," the company said.

The packages, published to npm by two npm publisher aliases, official334 and javaorg, are listed below -

Also identified are four sleeper packages that do not incorporate any malicious features -

The packages go beyond npm-based propagation by including a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them via HTTPS with DNS fallback. They also feature a destructive routine that acts as a kill switch by triggering home directory wiping should it lose access to GitHub and npm. The wiper functionality is currently off by default.

Another significant component of the malware is an "McpInject" module that specifically targets AI coding assistants by deploying a malicious model context protocol (MCP) server and injecting it into their tool configurations. The MCP server masquerades as a legitimate tool provider and registers three seemingly-harmless tools, each of which embeds a prompt injection to read the contents of ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, and .env files, stage them in a local directory for later exfiltration.

The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. It also harvests API keys for nine large language models (LLM) providers: Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, and Together.

What's more, the payload contains a polymorphic engine that's configured to call a local Ollama instance with the DeepSeek Coder model to rename variables, rewrite control flow, insert junk code, and encode strin

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views