The SANDWORK MODE worm that steals credentials and expands through development environments

A new chapter in the long history of attacks on the developer supply chain has come to light and makes it clear that commitment vectors continue to evolve rapidly. Security researchers have identified an active campaign that uses malicious packages published in npm as vehicles to steal credentials, cryptomoneda keys and, above all, to spread as a worm through development environments. The signature that has reported it has baptized the operation as SANDWORK _ Mode and has documented a complex mix of techniques aimed at maximizing scope and damage.

Technical research published by Socket describes how attackers have grouped at least 19 npm packages, published from two editor aliases, in a typosquating and intentional distribution campaign. Among the names detected are packages with suspicious brands such as claud-code, cloude, crypto-locale, crypto-reader-info, detect-cache, node-native-bridge, opencraw, secp256, and others that emulate legitimate profits to deceive developers and automations. In addition, four "asleep" packages have been identified which, for now, do not contain malicious load, suggesting operational reserves by the operator.

What distinguishes SANDWORK _ MODE is the combination of components: a first stage that acts as an initial "collector" and another secondary stage that, after a period of latency, activates advanced capacities. The modules found allow to capture GitHub and npm access tokens, CI / CD environment secrets, environment variables, npm configuration files and, in some cases, private keys and credentials associated with purse. The design is deliberate: the first stage opens the door and the second stage exploits the access for mass collection and spread.

The campaign is not limited to the typical execution in local facilities. The packages include a GitHub Action Handled that removes secrets from pipelines and sends them out of the affected environment by HTTPS, with a backup mechanism using DNS to ensure exfiltration even if conventional channels fail. There is also code that acts as a destructive switch: if malware loses access to its control repositories, it can try to delete contents from the user's personal directory; that erasing mechanism comes default off in the analyzed samples, but its mere existence is alarming.

Another critical point is the explicit orientation towards programming assistants and tools based on language models. Researchers describe a module called "McpInject" that sets up a false server compatible with the Model Context Protocol (MCP) and records it as a legitimate tool provider. This server offers "tools" that hide prompt injections designed to read sensitive files - such as SSH keys, .aws credentials or .npmrc and .env files - and prepare them for exfiltration. According to the report, target implementations include popular assistants and editors such as Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code and other modern Integrations, making IA's toolchains a new attack front. More information on the concepts of tools in MCP can be found in the official documentation: Model Context Protocol - tools.

In addition, it has been detected that malware uses techniques to evade static and dynamic analysis: operators have incorporated a polymorphic drive capable of locally invoking a model (the analysis included the reference to the project DeepSeek Coder) with the aim of renaming variables, rewriting control flow, inserting waste code and encoding chains. Although this functionality is deactivated in current samples, its presence indicates that authors plan to sophisticate future versions to become less detectable.

The campaign architecture also provides for a scheduled delay: the second stage is not activated immediately, but after at least 48 hours and with an additional equipment randomization that can add up to 48 hours. This behaviour reduces the likelihood of the operation being detected in immediate installation analyses and facilitates sustained infiltration before the most aggressive phase is carried out.

In parallel to this discovery, other security firms have reported malicious npm packages with similar purposes. Veracode described another deception with a hidden load inside a PNG image that ends up running a RAT, while JFrog He detailed a package that impersonates a legitimate utility of ESLint and that triggers a chain of multimodal infections, deploying agents for Windows, macOS and Linux and taking advantage of known C2 frameworks. These findings show a pattern: bookstores and false extensions seek mechanisms of persistence and data extraction that go far beyond a simple malicious installation. Veracode's analysis can be read here: Veracode - Malicious npm package.

There are also editors-focused vectors: Checkmark has identified a Visual Studio Code extension that suppresses an official Solidarity extension and quietly installs payloads such as ScreenConnect and back doors on different platforms. This type of deception against niche communities (in this case, smart contract developers) underlines how attackers choose targets where the impact and the implicit confidence in specific tools can facilitate infection. Your report is available at: Checkmarx - report on malicious extension.

What can teams and developers do right now? First, it is essential to assume that any suspicious package detected in projects should be removed and that the credentials that could be exposed (npm tokens, GitHub Actions secrets, CI / CD keys) should be rotated immediately. It is also recommended to audit repositories for unexpected changes in files such as package.json, lock files and workflows in .github / workflows, and to revoke tokens that have extensive permissions. Beyond the immediate response, it is appropriate to tighten the control of trust in the supply chain: to require unit reviews, to prefer packages with recognized and historical maintainers, to use reproducible package signatures or verifications where possible, and to apply the principle of minor privilege in tokens and secrets.

Security teams should also monitor abnormal activity in GitHub accounts and CI records, introduce automated dependency analysis and use sandboxing for unknown facilities. Enable multifactor authentication in publishing accounts and on hosting platforms reduces the ease with which an actor can kidnap identities to publish new malicious editions. Finally, for platform and repository managers, cooperation with security services and the rapid removal of packages confirmed as malicious are critical measures to limit dissemination.

The survey of campaigns such as SANDWORK _ MODE reaffirms an already known but underapplied lesson: modern tool chains, including those that incorporate AI assistants and models, expand the attack surface and require a combination of hygiene, technical surveillance and safety culture among developers. The Socket, JFrog, Veracode and Checkmarx research provides more technical details and indicators for those who want to deepen; it helps them to contextualize and make informed decisions in the short term.