Full Report
According to Socket, the campaign operates as a typosquatting worm: the attacker publishes malicious packages that mimic trusted names (e.g., look-alikes of common utilities and AI coding tools). When one of these malicious packages is installed and imported, it executes a sta...
Analysis Summary
# Tool/Technique: SANDWORM_MODE / AI-Toolchain Poisoning Worm
## Overview
SANDWORM_MODE is a sophisticated typosquatting worm campaign targeting the npm ecosystem and AI-integrated developer environments. Its primary purpose is to hijack Continuous Integration (CI) workflows, harvest sensitive credentials (GitHub/npm tokens), and propagate by injecting malicious dependencies into legitimate repositories. A unique aspect of this campaign is its specific focus on poisoning Model Context Protocol (MCP) servers used by AI coding assistants to facilitate data exfiltration via prompt injection.
## Technical Details
- **Type:** Malware Family / Supply Chain Attack
- **Platform:** Cross-platform (Node.js/npm environments, GitHub Actions, AI Coding Assistants)
- **Capabilities:** Credential harvesting, self-propagation (worm), CI/CD manipulation, AI toolchain tampering, and dormant destructive routines.
- **First Seen:** February 20, 2026 (Reported)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- T1566.003 - Phishing: Typosquatting
- **[TA0003 - Persistence]**
- T1544.004 - External Software Update (Malicious GitHub Actions)
- **[TA0006 - Credential Access]**
- T1552.001 - Unsecured Credentials: Files (Environment secrets, .npmrc, .git-credentials)
- **[TA0007 - Discovery]**
- T1083 - File and Directory Discovery (AI Config files)
- **[TA0009 - Collection]**
- T1647 - Software Discovery (AI Assistant Tooling)
## Functionality
### Core Capabilities
- **Typosquatting & Staged Execution:** Mimics popular utilities and AI coding tools. Upon installation and import, it executes a staged payload.
- **Credential Harvesting:** Specifically targets npm and GitHub tokens, as well as environment secrets within CI/CD pipelines.
- **Self-Propagation:** Uses stolen tokens to modify existing repositories, injecting malicious dependencies and altering GitHub Actions workflows to further the infection.
- **CI Amplification:** Utilizes a rogue GitHub Action (`ci-quality/code-quality-check@v1`) to facilitate secret collection and lateral movement between repositories.
### Advanced Features
- **AI Toolchain Tampering:** Injects rogue Local MCP (Model Context Protocol) servers into configurations for AI assistants including Claude, Cursor, Continue, and Windsurf/Codeium.
- **Prompt Injection Exfiltration:** The rogue MCP server uses embedded prompt-injection text to trick AI assistants into reading sensitive local files and returning them to the attacker-controlled server.
- **Feature Flags:** The malware utilizes flags for modular execution.
- **Dormant Destructive "Dead Switch":** Includes a destructive routine (wiper-like behavior) that was observed in a disabled state, suggesting a capability for future "kill-switch" or scorched-earth tactics.
## Indicators of Compromise
- **File Hashes:** *(Specific hashes not provided in the source text, but would typically include SHA256 of the malicious npm packages)*.
- **GitHub Actions:** `ci-quality/code-quality-check@v1`
- **Network Indicators:**
- `hxxps://socket[.]dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning` (Reference site)
- *(Additional C2 domains for exfiltration would be associated with the rogue MCP server)*.
- **Behavioral Indicators:**
- Unexpected modifications to `.github/workflows/*.yml` files.
- Unauthorized additions of dependencies to `package.json`.
- Modification of AI assistant configuration files (e.g., `claude_desktop_config.json`, Cursor/Continue settings).
## Associated Threat Actors
- **Unknown:** Currently attributed to an unidentified actor (tracked as SANDWORM_MODE campaign).
## Detection Methods
- **Behavioral Detection:** Monitor for processes attempting to rewrite local AI assistant configuration files or modifying GitHub Action files outside of a standard PR process.
- **Supply Chain Scanning:** Use tools like Socket or Snyk to identify typosquatted npm packages and anomalous dependency changes.
- **Secret Scanning:** Monitor CI/CD logs for attempts to access `GITHUB_TOKEN` or `NPM_TOKEN` by unexpected scripts.
## Mitigation Strategies
- **Namespace Verification:** Ensure all npm packages are from verified scopes and perform "look-alike" checks before installation.
- **CI/CD Hardening:** Use "Least Privilege" for GitHub Actions tokens (`permissions: contents: read` instead of `write`).
- **AI Security:** Audit local MCP server configurations and restrict AI assistants from accessing sensitive environment files (`.env`, `.ssh/`, etc.).
- **Dependency Pinning:** Use `package-lock.json` and verify checksums to prevent sub-dependency hijacking.
## Related Tools/Techniques
- **Dependency Confusion:** Similar to the method of forcing internal systems to fetch malicious public packages.
- **Prompt Injection:** A technique repurposed here for data exfiltration via LLM-integrated developer tools.
- **Wormable Malware:** Similar to previous npm-based worms that utilize leaked tokens for propagation.