SANDWORM_MODE malicious npm supply-chain worm campaign
Campaign
Summary
Hide ▲
Show ▼
An active SANDWORM_MODE supply-chain campaign is using at least 19 malicious npm packages to steal credentials and cryptocurrency keys from developer environments. The packages spread by abusing stolen npm and GitHub identities, turning package installs into a propagation channel. The payload adds GitHub API exfiltration, MCP server injection, and SSH propagation fallback, increasing the chance of follow-on compromise. The activity matters because it combines supply-chain infection, secret theft, and self-propagation in one developer-facing operation.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Timeline
-
23.02.2026 12:20 2 articles · 3mo ago
SANDWORM_MODE supply-chain worm disclosure
Initial DisclosureSecurity researchers disclosed an active Shai-Hulud-like supply-chain worm campaign codenamed SANDWORM_MODE that used at least 19 malicious npm packages, published by the aliases official334 and javaorg, to harvest credentials, API tokens, and cryptocurrency keys from developer environments while propagating through stolen npm and GitHub identities and adding GitHub API exfiltration, hook-based persistence, SSH propagation fallback, and MCP server injection against AI coding assistants.
Show sources
- Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens — thehackernews.com — 23.02.2026 12:20
- Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens — thehackernews.com — 23.02.2026 12:20