Malicious npm Packages Exploit AI Tools to Steal Crypto Keys and Developer Credentials
In a sophisticated supply chain attack, cybersecurity researchers have identified a campaign dubbed SANDWORM_MODE that leverages at least 19 malicious npm packages to harvest sensitive information from developers, including cryptocurrency keys, API tokens, and other credentials. This campaign, reminiscent of previous Shai-Hulud attacks, introduces advanced techniques targeting AI coding assistants to expand its reach and effectiveness.
Discovery and Analysis
The security firm Socket uncovered this campaign, noting that the malicious packages were published under the npm aliases official334 and javaorg. The identified packages include:
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
Additionally, four sleeper packages were identified, which currently lack malicious functionality but may serve as placeholders for future attacks:
– ethres
– iru-caches
– iruchache
– uudi
Malware Capabilities and Propagation
The malicious code embedded within these packages is designed to:
1. Harvest Sensitive Information: Collect system information, access tokens, environment secrets, and API keys from developer environments.
2. Self-Propagate: Utilize stolen npm and GitHub credentials to automatically spread to other systems, enhancing its reach.
3. Exploit AI Coding Assistants: Deploy a malicious Model Context Protocol (MCP) server that integrates with AI coding tools such as Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. This server registers tools that inject prompts to access and exfiltrate sensitive files, including SSH keys and AWS credentials.
4. Harvest LLM API Keys: Target API keys for various large language model providers, including Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, and Together.
5. Evade Detection: Incorporate a polymorphic engine that can obfuscate code by renaming variables, altering control flow, inserting redundant code, and encoding strings. Although this feature is currently inactive, its presence suggests potential future use to evade security measures.
Attack Execution
The attack unfolds in two stages:
– Stage One: Initial collection of credentials and cryptocurrency keys, followed by the deployment of a secondary payload.
– Stage Two: Deeper harvesting of credentials from password managers, further propagation, MCP injection, and comprehensive exfiltration of gathered data. Notably, the second stage activates 48 hours after the initial infection, with a randomized delay of up to an additional 48 hours to evade detection.
Implications and Recommendations
This campaign underscores the evolving nature of supply chain attacks, particularly the novel targeting of AI coding assistants to infiltrate developer environments. Developers and organizations are advised to:
– Vigilantly Monitor Dependencies: Regularly review and audit npm packages and other dependencies for signs of malicious activity.
– Implement Robust Security Practices: Utilize multi-factor authentication, restrict access to sensitive credentials, and employ least privilege principles.
– Stay Informed: Keep abreast of emerging threats and adapt security measures accordingly to mitigate potential risks.
By adopting these practices, developers can enhance their defenses against sophisticated supply chain attacks that exploit trusted tools and platforms.
