Key Findings:

• Cybersecurity researchers have disclosed an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages.

• The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments.

• The packages also include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them, as well as a "McpInject" module that targets AI coding assistants.

• The payload contains a polymorphic engine that can rename variables, rewrite control flow, insert junk code, and encode strings to evade detection.

• Users who have installed any of the affected packages are advised to remove them, rotate npm/GitHub tokens and CI secrets, and review their package.json, lockfiles, and .github/workflows/ for any unexpected changes.

Background

The malicious npm packages, published under the npm publisher aliases "official334" and "javaorg", are designed to enable credential harvesting and cryptocurrency key theft. The campaign has been codenamed "SANDWORM_MODE" by supply chain security company Socket.

The packages go beyond npm-based propagation by including a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them via HTTPS with DNS fallback. They also feature a destructive routine that acts as a kill switch by triggering home directory wiping should it lose access to GitHub and npm.

Another significant component of the malware is the "McpInject" module, which targets AI coding assistants by deploying a malicious model context protocol (MCP) server and injecting it into their tool configurations. The MCP server masquerades as a legitimate tool provider and registers three seemingly-harmless tools, each of which embeds a prompt injection to read sensitive files.

Propagation and Exfiltration Tactics

The entire attack chain unfolds over two stages: a first-stage component that captures credentials and cryptocurrency keys, and then a secondary stage that performs deeper harvesting of credentials from password managers, worm-like propagation, MCP injection, and full exfiltration.

The second stage is not activated until 48 hours (along with a per-machine jitter of up to 48 additional hours) have elapsed, suggesting the operators are iterating on their capabilities.

Targets and Potential Impact

The packages target a wide range of developer tools and environments, including Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. They also harvest API keys for nine large language model (LLM) providers: Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, and Together.

The destructive and propagation behaviors of the malware remain real and high-risk, and defenders should treat these packages as active compromise risks rather than benign test artifacts.

Recommendations for Users

Users who have installed any of the affected packages are advised to remove them with immediate effect, rotate npm/GitHub tokens and CI secrets, and review their package.json, lockfiles, and .github/workflows/ for any unexpected changes.

The disclosure comes as Veracode and JFrog have also detailed other malicious npm packages designed to deliver remote access trojans (RATs) targeting Windows, macOS, and Linux systems.

Sources

• https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html

• https://www.mexc.co/news/768260