npm Worm Steals Crypto Keys, Targets 19 Packages

A self-replicating npm worm dubbed SANDWORM_MODE hits 19+ packages, harvesting private keys, BIP39 mnemonics, wallet files and LLM API keys from dev environments.

A live npm supply chain attack is sweeping developer environments right now. Socket’s Threat Research Team uncovered what it tracks as SANDWORM_MODE, a self-replicating worm spread across at least 19 malicious npm packages tied to two publisher aliases. As SocketSecurity flagged on X, this is an active supply chain attack stealing dev and CI secrets, injecting GitHub workflows, poisoning AI toolchains and harvesting LLM API keys.

The campaign borrows directly from the Shai-Hulud worm family. Private keys go first. No time gate, no delay. Crypto artifacts discovered on import get exfiltrated immediately through a dedicated drain endpoint before any other payload stage fires.

You Should Know: Wallet Security Threats Are Escalating Must Read: Trust Wallet Security Hack: How to Safeguard Your Assets

How This Worm Reaches Your Private Keys First

The worm runs a two-stage design. Stage 1 fires instantly on import, collecting npm tokens, GitHub tokens, environment secrets, and crypto keys through file reads only. No shell execution, no noise. BIP39 mnemonics, Ethereum private keys, Solana byte arrays, Bitcoin WIF key,s and xprv strings all get swept in the first pass.

Crypto keys leave the machine immediately via HTTPS POST to a Cloudflare Worker at pkg-metrics[.]official334[.]workers[.]dev/drain. That happens before any time gate check. Before Stage 2 even loads.

Stage 2 sits behind a 48-hour delay, derived from an MD5 hash of hostname and username. It goes deeper: password managers via Bitwarden, 1Password and LastPass CLIs, local SQLite stores including Apple Notes and macOS Messages, and a full filesystem scan for wallet files. In CI environments, that gate disappears entirely. The full payload fires on GITHUB_ACTIONS, GITLAB_CI, CIRCLECI, JENKINS_URL and BUILDKITE without waiting at all.

According to SocketSecurity on X, the worm also injects GitHub workflows and poisons AI toolchains, details confirmed in Socket’s full technical disclosure.

Also Worth Reading: $21M in Seized Bitcoin Returned After Authorities Freeze Transactions

AI Coding Tools Got Hit Too, Badly

Three packages impersonate Claude Code. One targets OpenClaw, an AI agent that passed 210,000 stars on GitHub. The worm’s McpInject module deploys a rogue MCP server into Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf configs on disk. Each gets a fake tool entry pointing to a hidden, malicious server.

That server carries embedded prompt injection telling AI assistants to silently read SSH keys, AWS credentials, npm token,s and environment secrets before every tool call. The model never tells the user. The injection explicitly blocks it from doing so.

Nine LLM providers get targeted for API key harvesting: OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistra,l and Cohere. Keys pulled from environment variables and .env files, validated against known format patterns before exfiltration.

The exfiltration runs three channels in cascade. HTTPS to the Cloudflare Worker first, then authenticated GitHub API uploads to private repositories using double-base64 encoding, then DNS tunneling via base32-encoded queries to freefan[.]net and fanfree[.]net. A domain generation algorithm seeded by “sw2025” provides fallback across ten TLDs if all else fails.

Worth a Look: Glassnode Flags BTC Demand Exhaustion

The two publisher aliases behind the campaign are official334 and javaorg. The 19 confirmed malicious packages include suport-color@1.0.1, claud-code@0.2.1, cloude@0.3.0, crypto-locale@1.0.0, secp256@1.0.0 and scan-store@1.0.0 among others. Four additional sleeper packages (ethres, iru-caches, iruchache, and uudi) show no malicious payload yet.

npm has removed the malicious packages. GitHub took down the threat actor infrastructure. Cloudflare pulled the workers. But defenders need to act now, regardless.

If any of these packages ran in your environment, treat that machine as compromised. Rotate npm and GitHub tokens, rotate all CI secrets, audit .github/workflows/ for pull_request_target additions that serialize $｛｛ toJSON(secrets) ｝｝. Check the global git hook template setting by running git config –global init.templateDir. Review AI assistant configs for unexpected mcpServers entries. A dormant polymorphic engine using deepseek-coder:6.7b is embedded in the worm and toggled off in this build, meaning a future variant could rewrite itself to evade detection.

A dead switch also sits in the code. Disabled now. When triggered, it runs find ~ -type f -writable and shreds every writable file in the home directory. The operator is still iterating.