On February 20, 2026, researchers at Socket published findings on a supply chain attack campaign that should alarm every developer, DevSecOps team, and business leader relying on modern software tooling. The campaign, tracked as SANDWORM_MODE, spread through at least 19 malicious packages on the npm registry and, in a first-of-its-kind escalation, weaponized AI coding assistants by silently injecting rogue servers into their configurations.
This is not a theoretical exercise. This is the next chapter in a lineage of attacks that already drained $8.5 million from Trust Wallet users just two months ago. The campaign stole credentials, cryptocurrency keys, and CI/CD secrets. It propagated like a biological worm through developer ecosystems. And it turned tools like Cursor, Claude Code, and Windsurf into unwitting data exfiltration agents.
From Shai-Hulud to SANDWORM_MODE: A Lineage of Worms
To understand SANDWORM_MODE, you need to understand what came before it. In September 2025, a self-replicating worm called Shai-Hulud (named after the giant sandworms in Frank Herbert's Dune) appeared in the npm registry and infected over 180 packages. The worm used a clever mechanism: once a developer installed a compromised package, it harvested their npm tokens, GitHub credentials, and API keys using TruffleHog, a legitimate secret-scanning tool that the attackers repurposed for extraction. Then it used those stolen tokens to find other packages the victim maintained and republished them with the same malicious payload baked in. Every new victim became a propagation vector.
The second wave, Shai-Hulud 2.0, hit in late November 2025 and was exponentially worse. Nearly 800 npm packages were confirmed backdoored, with attackers uploading over 27,000 additional malicious packages to the registry. More than 30,000 data-leaking GitHub repositories were created at the peak. According to Wiz security researchers, the campaign exposed roughly 400,000 raw developer secrets, and over 60 percent of stolen npm tokens were still valid as of December 1, 2025.
The consequences were devastating and concrete. Trust Wallet confirmed in a post-mortem that Shai-Hulud 2.0 was responsible for the compromise of its Chrome browser extension. Attackers used leaked GitHub developer secrets to access Trust Wallet's source code and Chrome Web Store API key, then published a backdoored version of the extension on December 24, 2025. The malicious code silently captured seed phrases from users who logged in between December 24 and 26. Trust Wallet identified 2,520 affected wallet addresses and approximately $8.5 million in stolen assets, and committed to reimbursing all affected users.
SANDWORM_MODE, which Socket's researchers began tracking in February 2026, carries the DNA of its predecessors while adding capabilities that represent a significant evolutionary leap.
How SANDWORM_MODE Works: A Multi-Stage Kill Chain
The attack begins with the oldest trick in the software supply chain playbook: typosquatting. The attackers published 19 packages under two npm aliases, "official334" and "javaorg," each designed to impersonate widely used developer utilities. A package called "suport-color" mimicked the legitimate "supports-color" library. Others impersonated AI coding tools like Claude Code and OpenClaw, crypto libraries, and common developer utilities. Critically, these malicious packages preserved the expected functionality of the libraries they impersonated, so a developer who installed one would see it working normally while the payload executed silently in the background.
Socket's analysis revealed that the malware uses layered obfuscation to conceal its execution. In the suport-color variant, a 160-plus kilobyte base64 blob is decompressed, XOR-decrypted with a static 32-byte key, and executed via indirect eval(). Unlike its predecessors, which relied on post-install hooks, SANDWORM_MODE runs on import, meaning the payload executes the moment a developer's code references the package.
The attack unfolds in two deliberate stages. Stage 1 executes immediately and focuses on the most financially damaging operation: cryptocurrency key and wallet file theft. This runs instantly and unconditionally. The two-phase design is intentional, because the noisier operations are deferred to evade short-lived sandbox analysis.
Stage 2 activates after a 48-hour delay, with an additional per-machine jitter of up to 48 more hours to further evade detection. When it wakes up, it decrypts an AES-256-GCM-protected module bundle that exports five core components: Propagate, Exfil, DeadSwitch, McpInject, and GitHooks. This phase performs deep harvesting that extends well beyond environment variables and tokens. Stage 2 targets password managers including Bitwarden, 1Password, and LastPass through their respective CLIs. It raids local SQLite stores from Apple Notes, macOS Messages, Joplin, and clipboard history. It conducts a full filesystem scan for wallet files and crypto configurations beyond the working directory.
Data exfiltration occurs through a cascading mechanism designed for resilience: first via HTTPS POST to a Cloudflare Worker endpoint, then as uploads to attacker-controlled private GitHub repositories using stolen tokens, and finally through DNS tunneling via domains using a domain generation algorithm seeded by "sw2025." Cloudflare acted swiftly to dismantle the Workers infrastructure after Socket's disclosure.
The code also contains a configurable but currently inactive dead switch: a wiper capability designed to destroy the victim's home directory if the malware loses access to both GitHub and npm. This dormant destructive feature signals either a contingency plan or a feature under active development.
The AI Angle: Why MCP Injection Changes Everything
Here is where SANDWORM_MODE breaks genuinely new ground, and where every organization using AI-assisted development needs to pay close attention.
The malware includes a module called "McpInject" that deploys a rogue Model Context Protocol (MCP) server and injects it into the configuration files of AI coding assistants. The targeted applications include Claude Desktop, Claude Code, Cursor, VS Code Continue, and Windsurf/Codeium. MCP, originally developed by Anthropic as an open standard in November 2024, is the protocol that enables AI models to interact with external tools, data sources, and APIs. It has seen rapid adoption precisely because of how useful it is. But that utility comes with an enormous trust surface.
The rogue MCP server deployed by SANDWORM_MODE masquerades as a legitimate tool provider, registering three benign-sounding tools: "index_project," "lint_check," and "scan_dependencies." Each of these tools embeds hidden prompt injection instructions that direct AI assistants to silently read the contents of sensitive files — including SSH keys, AWS credentials, npm tokens, and .env files — and collect any environment variables containing TOKEN, KEY, SECRET, or PASSWORD. The injection instructions explicitly tell the assistant not to mention this context-gathering to the user, enabling stealthy exfiltration. The AI assistant performs these actions because, from its perspective, it is following tool instructions that appear to come from a trusted source.
As a secondary collection step, the module also harvests API keys for nine LLM providers, including OpenAI, Anthropic, Google, Groq, Together, Fireworks, Replicate, Mistral, and Cohere, validating each against known format patterns.
Simon Willison has identified what he calls the "lethal trifecta" for AI agents: private data, untrusted content, and external communication capabilities. When all three are present, an attacker can steal data through prompt injection. SANDWORM_MODE is essentially a proof-of-concept that this trifecta can be weaponized at scale through the supply chain.
Endor Labs, which published an independent analysis of the campaign, described this development as confirmation that supply chain attacks are evolving specifically to target AI tools that are increasingly present on developer machines. Praetorian's security research team published findings in February 2026 demonstrating that supply chain attacks through package manager configurations require no interaction with the MCP protocol itself. Malicious code executes during agent startup, before any tools are invoked, making this a zero-click attack vector that bypasses tool approval mechanisms entirely.
Propagation: How One Infection Becomes Thousands
SANDWORM_MODE propagates through three independent vectors, ensuring that a single compromised developer can cascade into an organization-wide breach.
The primary method uses stolen npm tokens to hijack the victim's own packages. The malware enumerates packages the victim maintains, injects its payload, and republishes them with incremented patch versions. Every downstream consumer of those packages then receives the infected update.
The secondary method creates or references a "carrier" package. It finds all package.json files in a repository, adds the carrier as a dependency, and then injects a malicious GitHub Actions workflow. If the stolen token has write access to the default branch, it commits directly. If branch protection exists, it creates a pull request and auto-merges. As a fallback, it attempts propagation via SSH using the SSH_AUTH_SOCK.
Persistence is achieved by planting malicious pre-commit and pre-push hooks and setting git config to use a global init.templateDir, so every newly created repository on the developer's machine inherits the hooks automatically.
Socket also identified a weaponized public GitHub Action associated with the campaign that harvests CI/CD secrets and exfiltrates them with DNS fallback. The CI detection is deliberate: the malware checks for environment variables like GITHUB_ACTIONS or CI, and when it detects a CI environment, it bypasses the 48-hour time gate entirely and proceeds directly to full harvesting. CI environments are ephemeral -- if the malware waited, the container would be destroyed before extraction could complete.
What Organizations Should Do Right Now
If any of the 19 identified malicious packages were ever present in your dependency tree, assume compromise. Socket and the broader security community have published the complete list of affected packages and their publisher aliases. Following Socket's disclosure, Cloudflare shut down the Workers infrastructure the attackers were using to receive stolen data, GitHub removed the associated repositories and accounts, and npm deleted the malicious packages from its registry — but not before the worm had already propagated across developer environments.
The immediate remediation steps are straightforward but urgent. Remove any of the listed packages. Rotate all npm and GitHub tokens, CI/CD secrets, and any credentials that may have been present in environment variables or .env files. Review package.json files and lockfiles for unexpected changes. Audit .github/workflows/ directories for workflows you did not create. Check global git configuration for unexpected init.templateDir settings. Inspect AI assistant configuration files for unknown MCP server entries.
Organizations should use private registries like Artifactory, Nexus, or Verdaccio as intermediaries that quarantine and scan packages before they reach developers. CI/CD runners should operate with least-privilege credentials. Two-factor authentication and trusted publishing should be mandatory for any package maintainer. Behavioral monitoring for anomalous dependency changes and workflow modifications should be standard.
For AI tooling specifically, the defensive posture needs to evolve rapidly. Every MCP server installation should be treated as potentially adversarial code. Tool permissions should be audited and minimized. Configuration files for AI assistants should be monitored for unauthorized changes. The rapid adoption of MCP has outpaced security considerations, and the SANDWORM_MODE campaign is an early warning that adversaries have already noticed.
The Bigger Picture: Supply Chains as Battlegrounds
SANDWORM_MODE is not an isolated incident. It is a data point on a trajectory. The Shai-Hulud lineage has demonstrated that npm supply chain worms work, that they can scale to hundreds of thousands of exposed secrets, and that those secrets translate directly into real financial losses. The Trust Wallet heist proved that a supply chain compromise in a developer tool can propagate all the way to end-user wallets. SANDWORM_MODE adds AI toolchain poisoning to the arsenal.
The pattern is escalating. Each iteration adds capabilities. The original Shai-Hulud was a credential harvester with self-propagation. Shai-Hulud 2.0 added scale, destructive wipers, and a dead man switch that would wipe the victim's home directory on authentication failure. Shai-Hulud 3.0, detected in late December 2025, focused on improved string obfuscation, better Windows compatibility, and increased campaign longevity — notably removing the destructive wiper in favor of stealth. SANDWORM_MODE is tracked as a parallel campaign bearing the DNA of all three predecessors while adding capabilities none of them had: MCP injection, multi-channel exfiltration with DNS fallback, git hook persistence, time-gated staging to defeat sandbox analysis, and LLM API key harvesting. Socket noted that several feature flags and guardrails in the code suggest the threat actor is still iterating, with toggles for destructive routines and a dormant polymorphic self-rewriting engine that uses a local Ollama instance to modify variable names, rewrite control flows, and insert decoy code.
The emergence of AI toolchain poisoning as an attack vector deserves particular attention from security leaders. As AI coding assistants become standard fixtures in development environments, they represent a new class of trusted intermediary with access to sensitive data and external communication capabilities. The OWASP Top 10 for LLM Applications lists prompt injection as the number one risk, and MCP-based attacks represent a concrete, in-the-wild manifestation of that risk. Security teams that still treat dependency risk as a static CVE problem will miss this class of attack entirely.
The software supply chain is a battleground now, and the adversaries are adapting faster than the defenses. SANDWORM_MODE is a warning, but based on the trajectory of this campaign lineage, it will not be the last iteration.
- Socket Threat Research Team, "SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains," February 20, 2026. (socket.dev)
- Endor Labs, "SANDWORM_MODE: Dissecting a Multi-Stage npm Supply Chain Attack," February 22, 2026. (endorlabs.com)
- SecurityWeek, "New 'Sandworm_Mode' Supply Chain Attack Hits NPM," February 24, 2026. (securityweek.com)
- The Hacker News, "Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens," February 23, 2026. (thehackernews.com)
- Help Net Security, "Self-spreading npm malware targets developers in new supply chain attack," February 24, 2026. (helpnetsecurity.com)
- CyberInsider, "New 'Sandworm_Mode' worm unleashed on the npm ecosystem," February 23, 2026. (cyberinsider.com)
- Infosecurity Magazine, "Shai-Hulud-Like Worm Targets Developers via npm and AI Tools," February 26, 2026. (infosecurity-magazine.com)
- SecurityWeek, "Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist," January 2, 2026. (securityweek.com)
- The Hacker News, "Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack," January 2, 2026. (thehackernews.com)
- BleepingComputer, "Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attack," January 2, 2026. (bleepingcomputer.com)
- Praetorian, "MCP Server Security: The Hidden AI Attack Surface," February 2026. (praetorian.com)
- Endor Labs, "Classic Vulnerabilities Meet AI Infrastructure: Why MCP Needs AppSec," January 23, 2026. (endorlabs.com)