SANDWORM_MODE Shai-Hulud-Style npm Worm Targeting Developer and CI/CD Secrets
A Shai-Hulud-like supply chain worm tracked as SANDWORM_MODE is actively targeting the npm ecosystem using typosquatted packages and poisoned GitHub Actions to compromise developer workstations and CI/CD pipelines. Reporting attributes the campaign to at least 19 malicious npm packages published under two npm publisher aliases, designed to appear legitimate and retain expected functionality while executing a multi-stage JavaScript payload when installed/imported. The malware focuses on stealing npm and GitHub tokens, environment variables, .npmrc credentials, crypto keys, and other developer/CI secrets, with CI environments seeing immediate execution (bypassing delays) to maximize theft and propagation during routine dependency installation.
Technical analysis indicates SANDWORM_MODE extends prior Shai-Hulud tradecraft with additional propagation and exfiltration mechanisms, including GitHub API-driven repo/workflow injection using GITHUB_TOKEN, HTTPS exfiltration with DNS fallback, and persistence via hooks; it also includes fallbacks such as SSH-based propagation. The campaign is also described as incorporating AI toolchain poisoning, including MCP server injection with embedded prompt-injection content aimed at AI coding assistants and LLM API key harvesting. A configurable “dead switch” destructive routine is reported to be present but disabled by default, with logic that can trigger home directory wiping if the malware loses access to both GitHub (for exfiltration) and npm (for propagation), suggesting iterative development with feature flags and guardrails still visible in some builds.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
Wiz reports TeamPCP campaign hitting @antv, GitHub Actions, and VSCode
On 2026-05-19, Wiz Research reported a new Shai-Hulud-style supply-chain wave affecting @antv npm packages, the GitHub Actions actions-cool/maintain-one-comment and actions-cool/issues-helper, and the VSCode extension nrwl.angular-console 18.95.0. Wiz attributed the activity with moderate confidence to TeamPCP and said the malware stole developer and cloud credentials, exfiltrated data through attacker-created public GitHub repositories, and installed a Python backdoor that polled GitHub for signed commands.
Researchers find copycat npm packages using leaked Shai-Hulud code
OX Security identified four malicious npm packages published by the user deadcode09284814 that delivered multiple payloads, including infostealers and the Phantom Bot DDoS malware. One package, chalk-tempalte, reportedly cloned the recently leaked Shai-Hulud worm code, stole credentials and secrets, and used stolen GitHub tokens to create public repositories labeled "A Mini Sha1-Hulud has Appeared."
TeamPCP publicly releases Shai-Hulud source code on GitHub
On 2026-05-12, SlowMist reported that the TeamPCP threat group publicly released the full Shai-Hulud malware source code on GitHub. Researchers said the release enabled rapid forking and copycat activity, broadening attacker access to the npm supply-chain worm’s capabilities.
Attackers compromise 20 @tanstack npm packages with Shai-Hulud worm
On 2026-05-11, attackers published malicious versions of 20 @tanstack/* npm packages, including react-router, react-start, vue-router, solid-router, router-core, and history, embedding an obfuscated stealer/worm payload. The malware stole credentials from developer, CI/CD, cloud, Kubernetes, npm, GitHub, and AI-tooling environments, exfiltrated data to attacker infrastructure, and propagated via stolen npm tokens, GitHub Actions OIDC tokens, and malicious workflow injection; npm later deprecated the affected versions as compromised.
Typosquatted crypto-javascri package launches Tor-backed npm worm
On 2026-05-11, attackers published the typosquatted npm package crypto-javascri to impersonate crypto-js and deploy a worm that stole npm and GitHub credentials, validated them, and republished trojanized versions of victims’ own packages from compromised maintainer accounts. CloudSEK said the malware used npm preinstall, Claude Code SessionStart hooks, and a VS Code folderOpen task for execution, then installed a Tor-backed Rust implant with persistence and cryptomining on Linux developer and CI/CD systems.
Researchers identify malicious intercom-client npm release
On 2026-04-30, researchers identified intercom-client@7.0.4, the official Node.js SDK for the Intercom API, as a malicious npm package after confirming version 7.0.3 was clean. The trojanized release used a preinstall dropper and Bun-based payload to steal secrets from developer, CI/CD, cloud, Kubernetes, GitHub, npm, and AI tooling environments, propagate through npm and GitHub workflows, and was later yanked from npm.
Gurucul publishes Shai-Hulud IOCs and threat-hunting guidance
Gurucul released a threat research article on the Shai-Hulud npm worm that included indicators of compromise such as domains, IP addresses, file hashes, and an email address, along with detection queries for threat hunting and incident response. The publication framed Shai-Hulud as a major escalation in npm supply-chain attacks while adding actionable technical detection details.
Researchers disclose new self-propagating npm worm with PyPI crossover
On 2026-04-22, Socket and StepSecurity disclosed a new npm supply-chain worm affecting packages tied to Namastex Labs that steals developer, cloud, CI/CD, AI-platform, and other secrets, then republishes trojanized packages from compromised accounts using stolen npm publish tokens. Researchers also found the malware can spread into Python packages via PyPI credentials and a .pth-based payload, making it a multi-ecosystem threat.
Vendors disrupt campaign infrastructure and remove malicious assets
After Socket's notification, Cloudflare, GitHub, and npm took coordinated action to dismantle the campaign infrastructure, including removing malicious workers, repositories, accounts, GitHub Actions assets, and npm packages. References describe this as a coordinated disruption following researcher notification.
Socket identifies and discloses the SANDWORM_MODE worm campaign
Socket's Threat Research Team reported an active Shai-Hulud-like npm supply-chain worm campaign, naming it SANDWORM_MODE and detailing its credential theft, CI poisoning, repository propagation, git-hook persistence, and AI assistant MCP injection capabilities. The disclosure also highlighted a disabled destructive "dead switch" and staged execution designed to evade analysis.
Attackers publish malicious npm packages and GitHub Action
The SANDWORM_MODE campaign deployed at least 19 malicious npm packages under the aliases "official334" and "javaorg," along with a public GitHub Action repository masquerading as a code-quality scanner. These components were used to steal developer and CI secrets, infect repositories, and propagate through npm and GitHub workflows.
Threat actor creates the ci-quality GitHub organization
A threat-actor-controlled GitHub organization named "ci-quality" was created and later used to host a malicious GitHub Action tied to the campaign. This is the earliest concrete campaign setup date mentioned in the references.
Wiz reports Shai-Hulud 2.0 resurgence despite containment efforts
Wiz Research and Wiz CIRT said the Shai-Hulud 2.0 supply-chain worm remained active for more than six days after its November disclosure and experienced a renewed spike on 2025-12-01 despite earlier containment actions by PostHog, Postman, AsyncAPI, and the npm security team. The report also assessed broad impact, including more than 30,000 leaked repositories and hundreds of still-valid exposed secrets, primarily affecting Linux-based CI/CD and containerized environments.
Shai-Hulud v2 spreads from npm into Maven Central
Researchers reported that the second-wave Shai-Hulud campaign had crossed from npm into the Maven ecosystem through a compromised Maven Central package, org.mvnpm:posthog-node:4.18.1, reusing the same malicious components seen in the npm attack. Maven Central said the affected mirrored package copies were purged and that additional protections were being implemented to prevent compromised npm packages from being rebundled into Maven artifacts.
Unit 42 details Shai-Hulud 2.0 escalation and destructive behavior
Unit 42 reported that the November 2025 Shai-Hulud 2.0 npm supply-chain campaign had escalated by moving from post-install to pre-install execution, broadening impact across developer and CI/CD environments and affecting tens of thousands of GitHub repositories. The report also revealed new destructive and persistence features, including secure file deletion if exfiltration fails, Bun-themed payloads, and a GitHub Actions workflow that registers infected machines as self-hosted runners.
Researchers identify second-wave Shai-Hulud npm supply-chain attack
Researchers reported a renewed Shai-Hulud-linked npm supply-chain attack on 2025-11-24 after attackers uploaded trojanized versions of popular npm packages between November 21 and 23. The malware stole developer and cloud secrets, exfiltrated them to attacker-controlled GitHub repositories, and used stolen npm maintainer tokens to propagate malicious package versions under compromised accounts.
Researchers discover initial Shai-Hulud npm worm campaign
On 2025-09-15, researchers discovered a novel self-propagating supply-chain attack affecting roughly 200 npm packages, including @ctrl/tinycolor and packages tied to CrowdStrike. The Shai-Hulud malware used malicious postinstall scripts to steal GitHub, npm, AWS, and GCP credentials, exfiltrate them to GitHub, and spread by modifying additional packages and abusing GitHub repositories and actions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
26 references tracked. Mallory keeps watching after this page renders.
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave | Wiz Blog
wiz.io
Open sourceFour Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
thehackernews.com
Open sourceShai-Hulud Worm Clones Spread After Code Release
darkreading.com
Open sourceShai-Hulud copycat hits another npm package
theregister.com
Open sourceShai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets
thehackernews.com
Open sourceShai-Hulud Malware Targets Numerous NPM Packages in Second-Wave NPM Supply-Chain Attack - Arctic Wolf
arcticwolf.com
Open source"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26)
unit42.paloaltonetworks.com
Open sourceShai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages | Sysdig
webflow.sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Self-Propagating npm Malware Campaigns Spread via IronWorm and Shai-Hulud Packages
Security researchers reported multiple self-propagating npm supply-chain malware campaigns that used compromised maintainer accounts and poisoned package updates to infect developer and CI/CD environments. JFrog said **IronWorm** was distributed through 36–37 malicious npm packages republished from the compromised `asteroiddao` account, where `preinstall` hooks launched a Rust ELF payload on Linux. The malware stole credentials and secrets tied to AWS, npm, SSH, Vault, OpenAI, Anthropic, Kubernetes, and Exodus wallets, hid with an **eBPF rootkit**, and used **Tor** for command-and-control. Investigators also linked the activity to poisoned GitHub repositories across nine organizations, including backdated malicious commits attributed to spoofed automation identities such as `claude`, `dependabot[bot]`, `renovate[bot]`, and `github-actions[bot]`. A separate but related wave, tracked by Sonatype as **Shai-Hulud "Miasma"**, pushed 281 malicious npm package versions and used `binding.gyp` with `node-gyp` to execute during installation, bypassing defenses that only inspect lifecycle scripts. Like IronWorm, the malware harvested developer and CI/CD secrets, validated stolen access, and republished trojanized versions of legitimate packages to continue spreading through repositories, build systems, and registries. Researchers said active exploitation was observed in the wild and warned that public impact may understate the full scope, particularly where private projects and CI runners were exposed through trusted publishing flows and compromised maintainer credentials.
Jun 18, 2026
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026
TeamPCP’s Shai-Hulud Supply-Chain Worm Leaked on GitHub, Spurring Copycat Attacks
Source code for the **Shai-Hulud** supply-chain worm attributed to **TeamPCP** was briefly exposed on GitHub, with repositories reportedly inviting others to modify keys and command-and-control settings and, in some cases, released under the **MIT License**. Researchers said the leaked code closely matched malware used in recent npm and PyPI compromises tied to packages associated with **TanStack, Mistral AI, and OpenSearch**, and revealed a modular framework built to steal credentials from developer workstations, CI/CD runners, cloud environments, Kubernetes, and HashiCorp Vault. The malware propagates by abusing stolen **GitHub**, **npm**, cloud, and **OIDC** credentials to poison repositories and publish backdoored packages, while maintaining persistence through GitHub workflows, Python `.pth` hooks, IDE and AI coding assistant configuration changes, system services, and Windows Startup entries. Analysis of the leaked framework showed encrypted exfiltration, GitHub dead-drop and signed-commit fallback channels, Sigstore provenance forgery, and destructive behavior including an org-membership-gated wiper and coercive deadman switch. GitHub removed the original repositories and has reportedly been taking down reposted copies, but forks and modified variants were already observed, and within days copycat actors began publishing Shai-Hulud-derived malicious npm packages such as **`chalk-tempalte`** and Axios-themed typosquats. Security firms warned that the public release turns an already successful credential-theft and software supply-chain operation into a reusable toolkit for other threat actors, increasing the likelihood of broader attacks across npm, PyPI, GitHub Actions, Docker Hub, OpenVSX, and developer tooling ecosystems.
May 19, 2026