Cybersecurity experts have uncovered an active supply chain worm campaign named SANDWORM_MODE, leveraging at least 19 malicious npm packages for credential harvesting and cryptocurrency key theft. These packages, attributed to npm aliases official334 and javaorg, siphon sensitive data such as API keys and system information by exploiting vulnerabilities in developer environments. Notably, the malware incorporates advanced features like GitHub API exfiltration, a kill switch for data destruction, and targeted attacks on AI coding assistants. The payload even includes a polymorphic engine for evading detection. Users are urged to uninstall these packages immediately, rotate their npm and GitHub tokens, and scrutinize their project files for unauthorized modifications. This campaign follows similar threats identified in other malicious npm packages like buildrunner-dev and eslint-verify-plugin, which also facilitate widespread system compromises. Staying vigilant against these evolving threats is essential for developers to protect their environments from potential attacks.
Source link
