Malicious npm Packages Used in Large-Scale Credential Harvesting Campaign

A recent cybersecurity discovery has revealed an active supply chain worm campaign leveraging at least 19 malicious npm packages to harvest credentials, cryptocurrency keys, and other sensitive information.

The campaign, dubbed SANDWORM_MODE by Socket, a supply chain security company, involves two stages. The first stage captures credentials and cryptocurrency keys, while the second stage performs deeper harvesting of credentials from password managers, worm-like propagation, and full exfiltration.

The malware uses a polymorphic engine to evade detection, and includes features such as MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting. It also contains a destructive routine that acts as a kill switch by triggering home directory wiping should it lose access to GitHub and npm.