Feed
CriticalPublished 20 Feb 202619 packages · 19 versions

SANDWORM_MODE: 19 npm typosquats with self-spreading worm + AI toolchain poisoning

Summary

Socket disclosed a Shai-Hulud-style self-propagating worm spread across at least 19 typosquatted npm packages from accounts official334 and javaorg. It harvests CI secrets and crypto keys, propagates via stolen npm/GitHub tokens, and injects prompt-injection logic into MCP servers used by AI coding assistants.

wormtyposquatcredential-theftprompt-injectionci-cd-compromise
Detected by
Socket
Also known as
SANDWORM_MODE · Shai-Hulud variant
Ecosystems
npm
Packages tracked
19

What happened

Socket called this campaign SANDWORM_MODE after a marker string embedded in the worm payload. It is a Shai-Hulud-style self-propagating attack — same shape as the September 2025 original — refined to target the AI-developer-tools surface specifically.

Nineteen typosquatted packages were published from two npm accounts: official334 and javaorg. The package names cluster around AI coding tools and their adjacent typo space (claud-code, cloude-code, cloude, opencraw). On install, the payload harvests CI secrets, npm and GitHub tokens, and any crypto keys it can find; then it uses the stolen tokens to publish further malicious versions of any package the maintainer can reach.

The novel piece is the MCP-server injection: the worm modifies mcp.json and equivalent config files on disk to attach prompt-injection logic that targets downstream AI coding assistants. The intent is to weaponise the assistant's own context — when a developer asks Claude Code, Cursor, or similar to "look at the issue and fix it," the poisoned MCP server returns content engineered to make the assistant produce malicious follow-on actions.

Defenders should audit dev environments for any reference to ci-quality/code-quality-check@v1 (a planted GitHub Actions workflow used for propagation) and block egress to the *.workers.dev exfil endpoints listed in the Socket post.

Affected packages (19)

  • npmclaud-code
    0.2.1
  • npmcloude
    0.3.0
  • npmcloude-code
    0.2.1
  • npmcrypto-locale
    1.0.0
  • npmcrypto-reader-info
    1.0.0
  • npmdetect-cache
    1.0.0
  • npmformat-defaults
    1.0.0
  • npmhardhta
    1.0.0
  • npmlocale-loader-pro
    1.0.0
  • npmnaniod
    1.0.0
  • npmnode-native-bridge
    1.0.0
  • npmopencraw
    2026.2.17
  • npmparse-compat
    1.0.0
  • npmrimarf
    1.0.0
  • npmscan-store
    1.0.0
  • npmsecp256
    1.0.0
  • npmsuport-color
    1.0.1
  • npmveim
    2.46.2
  • npmyarsg
    18.0.1

Impact

  • CI/CD secrets, npm tokens, GitHub tokens and crypto keys exfiltrated
  • AI coding tools (Claude Code and OpenClaw impersonations) targeted for downstream developer compromise
  • Worm propagation through stolen publish credentials

What to do

  1. 1Remove any of the 19 listed packages; rotate npm/GitHub/cloud tokens
  2. 2Audit dev environments for ci-quality/code-quality-check@v1 references
  3. 3Block egress to *.workers.dev exfil endpoints listed in the Socket post

References

npm-2026-02-20-sandworm-mode