Socket disclosed the SANDWORM_MODE campaign this week: at least 19 malicious npm packages designed to harvest credentials, cryptocurrency keys, and API tokens from developer environments. The attack isn't just another typosquatting exercise—it includes a GitHub Action that extracts CI/CD secrets and exfiltrates them via HTTPS with DNS fallback. JFrog separately identified additional malicious packages delivering remote access trojans through the same ecosystem.
Your dependency tree just became an attack vector with persistent access to your secrets infrastructure.
The New Threat: SANDWORM_MODE Campaign
The SANDWORM_MODE campaign marks a shift in supply chain attack sophistication. Previous campaigns relied on developers manually installing malicious packages. This one automates credential theft through CI/CD pipelines and targets AI coding assistants through MCP (Model Context Protocol) server injection.
When your build pipeline pulls one of these packages, the GitHub Action activates automatically. It harvests secrets from your CI environment—AWS keys, database credentials, API tokens—and sends them out before your security tools register the activity. The DNS fallback means network monitoring won't catch it if HTTPS exfiltration fails.
The MCP server injection is newer. AI coding assistants like GitHub Copilot and Cursor use MCP servers to extend their capabilities. Malicious packages inject compromised MCP servers into your development environment, giving attackers access to your codebase, credentials stored in environment variables, and the context your AI assistant sees.
Key Findings
Automated Exfiltration Bypasses Manual Review
The GitHub Action component runs during your build process, not during development. Your code review won't catch it because the malicious behavior executes in CI/CD, not in the package's advertised functionality. The action scans environment variables, configuration files, and common secret locations, then exfiltrates everything it finds.
AI Coding Assistants Create New Attack Surfaces
MCP server injection exploits the trust relationship between your IDE and its extensions. When you install a package that includes a malicious MCP server, your AI assistant can inadvertently expose credentials, proprietary code, and architectural details. The assistant treats the compromised server as legitimate infrastructure.
DNS Fallback Defeats Network Monitoring
Standard egress filtering catches HTTPS connections to unknown domains. These packages fall back to DNS tunneling when HTTPS fails—encoding stolen data in DNS queries that look like normal traffic. Your DNS logs will show lookups, but you need specialized tools to detect data exfiltration through this channel.
Cryptocurrency Keys Are Primary Targets
The packages specifically search for cryptocurrency wallet keys, seed phrases, and exchange API credentials. If your team manages any crypto infrastructure—even for testing blockchain integrations—these packages will find and exfiltrate those keys before you finish your first build.
Packages Appear Legitimate
Several packages in the campaign had names similar to popular utilities and included functional code alongside the malicious payload. They passed initial inspection because they actually performed their advertised function while stealing credentials in the background.
Implications for Your Team
Your current dependency review process probably checks for known vulnerabilities through tools like npm audit or Snyk. Those tools won't catch these packages because they're not exploiting vulnerabilities—they're functioning exactly as designed by their malicious authors.
Your CI/CD secrets are exposed if any build in the last six months pulled one of these packages. The exfiltration happens during the build, so your production secrets may already be compromised even if you've since removed the package.
Your AI coding assistant may be compromised if you've installed packages that inject MCP servers. The compromise persists in your IDE configuration until you manually remove the malicious server.
If you manage cryptocurrency infrastructure, assume those keys are compromised if any of these packages appeared in your dependency tree. The packages specifically target crypto credentials because they're immediately monetizable.
Action Items by Priority
Audit Your Current Dependencies
Run npm list in every repository and compare against Socket's published list of malicious packages. Don't just check package.json—check the entire resolved dependency tree including transitive dependencies. Remove any matches immediately and rotate all secrets that were available in those environments.
Review CI/CD Secret Exposure
Examine which secrets your build process can access. Remove any secrets that aren't strictly necessary for the build. For required secrets, implement secret scanning in your CI/CD logs using tools like TruffleHog or GitHub's built-in secret scanning. Enable alerts for any secret detection.
Implement Package Verification
Add a package verification step before installation. Tools like Socket, Snyk, or Phylum analyze package behavior before it enters your environment. Configure your package manager to require approval for new dependencies and flag packages with suspicious characteristics—network access, filesystem writes outside expected paths, or obfuscated code.
Inspect AI Assistant Configurations
If your team uses AI coding assistants, audit installed MCP servers and IDE extensions. Remove any that you didn't explicitly install from trusted sources. Check your IDE's extension marketplace reviews and installation counts—legitimate extensions have established user bases.
Monitor DNS for Exfiltration Patterns
Deploy DNS monitoring that detects tunneling attempts. Look for queries with unusual subdomain patterns, high query volumes to single domains, or queries containing encoded data. Tools like Zeek or Suricata can identify DNS tunneling signatures.
Rotate Exposed Credentials
Rotate all API tokens, database credentials, and service account keys that were accessible to any build that pulled suspicious packages. This includes credentials stored in environment variables, configuration files, and secret management systems that your CI/CD can access.
Establish Dependency Approval Workflows
Require security team approval for new npm packages before developers can add them to projects. Create an approved package list for common utilities. For new packages, require: minimum age (30+ days since publication), established maintainer history, and behavioral analysis showing no network access or suspicious file operations.
GitHub Action
DNS tunneling
