Find notable cyber news and cases, enriched with sources, timelines, and signals.

SANDWORM_MODE malicious npm supply-chain worm campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

An active SANDWORM_MODE supply-chain campaign is using at least 19 malicious npm packages to steal credentials and cryptocurrency keys from developer environments. The packages spread by abusing stolen npm and GitHub identities, turning package installs into a propagation channel. The payload adds GitHub API exfiltration, MCP server injection, and SSH propagation fallback, increasing the chance of follow-on compromise. The activity matters because it combines supply-chain infection, secret theft, and self-propagation in one developer-facing operation.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Timeline

  1. 23.02.2026 12:20 2 articles · 4mo ago

    SANDWORM_MODE supply-chain worm disclosure

    Initial Disclosure

    Security researchers disclosed an active Shai-Hulud-like supply-chain worm campaign codenamed SANDWORM_MODE that used at least 19 malicious npm packages, published by the aliases official334 and javaorg, to harvest credentials, API tokens, and cryptocurrency keys from developer environments while propagating through stolen npm and GitHub identities and adding GitHub API exfiltration, hook-based persistence, SSH propagation fallback, and MCP server injection against AI coding assistants.

    Show sources