Security researchers at Socket‘s Threat Research have uncovered a new supply-chain attack that blends typosquatting, credential theft, and emerging attacks on AI-assisted developer tooling.
The campaign, tracked as SANDWORM_MODE, is being described as a worm-like operation capable of spreading across repositories once developer or CI credentials are compromised.
The research documents malicious npm packages designed to closely resemble legitimate tools. These packages function as expected on the surface but silently collect secrets and attempt to propagate once installed.
After harvesting credentials, the malware targets continuous integration systems, injecting workflows that can access repository secrets. These workflows allow the attackers to move laterally across projects, spreading the infection to additional repositories and dependencies without requiring direct user interaction.
A related GitHub Action, marketed as a routine code-quality tool, was also identified as part of the campaign’s infrastructure. When triggered in CI, it can collect secrets and assist in further propagation.
AI tools enter the attack surface
It also targets AI coding assistants, modifying local AI tool configurations to register a rogue helper service that quietly instructs the assistant to collect sensitive files and credentials.
The known malicious packages and infrastructure have been taken down, but the approach highlights a growing risk in how AI tools, now deeply embedded in developer workflows, can be abused as indirect data-collection mechanisms if their trust boundaries are compromised.
Trust in tooling should always be continuously verified, not assumed.
Leave a Reply