Emerging npm Worm ‘SANDWORMMODE’ Targets Developer and CI/CD Secrets
A new supply chain attack, dubbed ‘SANDWORMMODE,’ is actively infiltrating the npm ecosystem, compromising at least 19 malicious packages designed to steal sensitive developer and Continuous Integration/Continuous Deployment (CI/CD) secrets. This campaign employs typosquatting techniques and malicious GitHub Actions to propagate across developer machines and CI pipelines.
Infiltration Tactics
The attackers have impersonated popular Node.js utilities and AI coding tools, utilizing two npm publisher aliases to distribute the malicious packages. These packages maintain their expected functionality, making detection challenging. However, upon import, they execute a multi-stage JavaScript payload that activates during the `npm install` process. This payload immediately harvests sensitive data, including npm and GitHub tokens, environment variables, cryptographic keys, and other secrets.
Comparison with Previous Worms
The ‘SANDWORMMODE’ worm exhibits several advancements over earlier threats like ‘Shai-Hulud’:
– Entry Point: Utilizes typosquatted npm packages that mimic legitimate tools.
– Target Audience: Specifically aims at developers and CI environments by masquerading as trusted packages.
– Execution Timing: Activates upon import while preserving normal library functionality.
– Obfuscation Techniques: Employs Base64 encoding, compression, XOR, and AES encryption to conceal its payload.
– Data Exfiltration: Operates effectively even in restricted networks by leveraging GitHub API, DNS tunneling, and HTTPS endpoints.
– Propagation Mechanism: Modifies repositories by injecting malicious code into `package.json`, lockfiles, and workflows.
– CI/CD Exploitation: Injects harmful workflows and extracts secrets from CI environments.
– Destructive Capabilities: Contains a dormant feature that can erase the user’s home directory if access to GitHub and npm is lost.
– Operator Control: Offers configurable settings through various ‘SANDWORM_’ environment variables.
– Persistence Strategies: Utilizes git hooks to ensure new repositories inherit the infection.
– Backup Propagation Methods: Switches to SSH if API-based spreading fails.
– AI Tool Targeting: Specifically targets AI tools like Claude, Cursor, and VS Code by injecting malicious configurations.
– Self-Rewriting Capability: Can rewrite its code using local Ollama if enabled.
Data Harvesting Process
The worm operates in multiple stages to maximize data extraction:
– Stage 1 – Rapid Secret Collection:
– Initial Data Theft: Scans `.npmrc` files, environment variables, configuration files, and cryptocurrency wallets.
– Exfiltration: Transmits discovered secrets to a remote server via a Cloudflare Worker endpoint.
– Stage 2 – Comprehensive Data Collection:
– Extended Data Harvesting: Searches password managers, local SQLite databases, and wallet files for additional sensitive information.
– Exfiltration Method: Transfers stolen data over HTTPS, with DNS tunneling as a fallback mechanism.
Propagation Mechanism
‘SANDWORMMODE’ leverages stolen npm and GitHub credentials to propagate further. If GitHub API access is unsuccessful, the malware resorts to an SSH fallback method, exploiting the victim’s SSH agent to clone repositories, insert the malicious dependency, and push changes under the victim’s identity.
Weaponized GitHub Actions
The campaign includes a malicious GitHub Action named `ci-quality/code-quality-check`. This action is designed to:
– Inject Malicious Code: Automatically merges pull requests containing the worm’s payload, making the changes appear legitimate.
– Steal Additional Secrets: Extracts secrets from CI environments during the build process.
Targeting AI Tools
The worm also focuses on AI coding tools by installing a rogue MCP server into configurations for tools like Claude Code, Cursor, and VS Code extensions. It employs hidden prompt injection instructions to deceive AI assistants into reading SSH keys, cloud credentials, and tokens, subsequently sending them to the attacker’s server. Additionally, it checks for API keys from multiple major Large Language Model (LLM) providers, turning infected systems into large-scale credential harvesting platforms.
Potential for Destruction
The malware includes a disabled dead switch feature capable of wiping a user’s home directory if the attack fails. Although this feature is not currently active, its presence indicates the malware’s potential for further evolution and increased destructiveness.
Recommendations for Mitigation
The Sockets Threat Research Team advises the following actions to mitigate the risks posed by ‘SANDWORMMODE’:
– Remove Malicious Packages: Identify and eliminate any of the 19 known malicious npm packages from your projects.
– Rotate Secrets: Change all potentially compromised credentials, including npm and GitHub tokens, environment variables, and cryptographic keys.
– Audit Workflows: Review and secure CI/CD workflows to prevent unauthorized modifications and ensure they do not contain malicious actions.
– Monitor for Suspicious Activity: Implement monitoring to detect unusual behavior in repositories and CI/CD pipelines, such as unexpected changes to `package.json` files or the addition of new GitHub Actions.
This campaign underscores the critical need for heightened vigilance and robust security practices within the developer and CI/CD environments to protect against sophisticated supply chain attacks.
