SANDWORM_MODE: 19 npm typosquats with self-spreading worm + AI toolchain poisoning
Socket disclosed a Shai-Hulud-style self-propagating worm spread across at least 19 typosquatted npm packages from accounts official334 and javaorg. It harvests CI secrets and crypto keys, propagates via stolen npm/GitHub tokens, and injects prompt-injection logic into MCP servers used by AI coding assistants.
- Detected by
- Socket
- Also known as
- SANDWORM_MODE · Shai-Hulud variant
- Ecosystems
- npm
- Packages tracked
- 19
What happened
Socket called this campaign SANDWORM_MODE after a marker string embedded in the worm payload. It is a Shai-Hulud-style self-propagating attack — same shape as the September 2025 original — refined to target the AI-developer-tools surface specifically.
Nineteen typosquatted packages were published from two npm accounts: official334 and javaorg. The package names cluster around AI coding tools and their adjacent typo space (claud-code, cloude-code, cloude, opencraw). On install, the payload harvests CI secrets, npm and GitHub tokens, and any crypto keys it can find; then it uses the stolen tokens to publish further malicious versions of any package the maintainer can reach.
The novel piece is the MCP-server injection: the worm modifies mcp.json and equivalent config files on disk to attach prompt-injection logic that targets downstream AI coding assistants. The intent is to weaponise the assistant's own context — when a developer asks Claude Code, Cursor, or similar to "look at the issue and fix it," the poisoned MCP server returns content engineered to make the assistant produce malicious follow-on actions.
Defenders should audit dev environments for any reference to ci-quality/code-quality-check@v1 (a planted GitHub Actions workflow used for propagation) and block egress to the *.workers.dev exfil endpoints listed in the Socket post.
Affected packages (19)
- npm
claud-code0.2.1 - npm
cloude0.3.0 - npm
cloude-code0.2.1 - npm
crypto-locale1.0.0 - npm
crypto-reader-info1.0.0 - npm
detect-cache1.0.0 - npm
format-defaults1.0.0 - npm
hardhta1.0.0 - npm
locale-loader-pro1.0.0 - npm
naniod1.0.0 - npm
node-native-bridge1.0.0 - npm
opencraw2026.2.17 - npm
parse-compat1.0.0 - npm
rimarf1.0.0 - npm
scan-store1.0.0 - npm
secp2561.0.0 - npm
suport-color1.0.1 - npm
veim2.46.2 - npm
yarsg18.0.1
Impact
- CI/CD secrets, npm tokens, GitHub tokens and crypto keys exfiltrated
- AI coding tools (Claude Code and OpenClaw impersonations) targeted for downstream developer compromise
- Worm propagation through stolen publish credentials
What to do
- 1Remove any of the 19 listed packages; rotate npm/GitHub/cloud tokens
- 2Audit dev environments for
ci-quality/code-quality-check@v1references - 3Block egress to *.workers.dev exfil endpoints listed in the Socket post