Find notable cyber news and cases, enriched with sources, timelines, and signals.

SANDWORM_MODE supply-chain worm targeting AI assistant configs

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The SANDWORM_MODE worm is spreading through malicious npm packages, stealing developer and CI credentials and injecting rogue MCP servers into AI assistant configurations. It also harvests API keys for multiple large language model providers, widening the blast radius beyond software dependencies. The operation uses typosquatting, compromised npm/GitHub accounts, and staged payloads to reach developers and CI environments. Anyone who installed affected packages faces secret theft, repository tampering, and downstream account compromise risk.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Timeline

  1. 23.02.2026 18:00 2 articles · 4mo ago

    SANDWORM_MODE supply-chain worm disclosed

    Initial Disclosure

    Socket's Threat Research Team disclosed SANDWORM_MODE as a Shai-Hulud-like supply-chain worm spreading through at least 19 malicious npm packages published under the aliases official334 and javaorg. The malware used typosquatting and a concealed multi-stage payload to steal developer and CI credentials, inject rogue MCP servers into AI assistant configurations such as Claude Desktop, Cursor, VS Code Continue and Windsurf, and harvest API keys for nine large language model providers. Socket also said it notified npm, GitHub and Cloudflare, and that Cloudflare disabled associated infrastructure, npm removed the malicious packages, and GitHub dismantled related repositories.

    Show sources