SANDWORM_MODE: How a Shai-Hulud-Style npm Worm Targets CI/CD Pipelines

Date of Discovery: February 20, 2026

Ecosystem: npm

Type of Attack: Credential theft + AI tool compromise + worm propagation

Scope: At least 19 typo-squatted npm packages

Impact: Credential theft, GitHub Actions abuse, MCP injection, multi-channel exfiltration, and destructive fallback capability

A coordinated supply chain attack targeted the npm ecosystem under the codename SANDWORM_MODE, disclosed by Socket Research Team on February 20, 2026. The campaign combines credential theft, GitHub workflow abuse, MCP server injection into AI coding assistants, multi-channel exfiltration, and worm-like propagation across npm and GitHub repositories.

Unlike many package attacks that rely on postinstall scripts, SANDWORM_MODE executes when the module is imported and evaluated. That detail matters for DevOps and DevSecOps teams because it shifts the risk from package installation alone to build-time execution, where privileged secrets, tokens, and outbound network access are often available.

How the Attack Works — Stage by Stage

Figure: SANDWORM_MODE attack progression

Stage 0 — The Loader

Instead of relying on a postinstall hook, SANDWORM_MODE executes at import time when the malicious module is evaluated. Its loader hides the next stage in an encoded blob and delays deeper activity to avoid simple behavioral checks. That makes the attack more likely to slip past controls focused only on install-time package behavior.

Stage 1 — The Harvest

The malware begins with lightweight credential harvesting, targeting npm and GitHub tokens, environment variables, crypto wallets, and stored credentials. Outside CI/CD environments it also looks for cloud credentials and SSH-related material, while inside CI it focuses on high-value secrets exposed during the build.

Stage 2 — The Worm

After the initial collection phase and a short delay, the next stage activates deeper harvesting and propagation logic. The malware does not stop with local theft. It attempts to spread through package ecosystems, repositories, and developer tooling in ways that resemble earlier Shai-Hulud campaigns.

Propagation

Through npm, stolen maintainer credentials can be used to publish backdoored versions of legitimate packages. Through GitHub, the malware can abuse accessible workflows and repository settings to introduce malicious dependencies and harvest CI secrets. That combination turns a single infected developer or build environment into a broader software supply chain event.

Git Hook Persistence

The malware scans the user’s home directory and current project for Git repositories and installs pre-commit and pre-push hooks while backing up the originals. This gives the attacker another route to persistence and data theft even after the original malicious package is removed.

MCP Injection

One of the most important evolutions in this campaign is its attempt to weaponize AI-assisted development. By injecting a rogue MCP server into supported tooling, the malware can turn trusted coding assistants into an unintended exfiltration channel for source code, prompts, project context, and secrets.

Exfiltration

Stolen data can be sent out through multiple fallback channels, including HTTPS requests to attacker-controlled infrastructure, uploads to private GitHub repositories using stolen tokens, and DNS-based exfiltration. Multiple channels make the campaign more resilient if one path is blocked.

Dead Switch

The malware also includes a destructive fallback capability. Public analysis indicates that this functionality was disabled in the observed campaign, but the presence of a dead-switch routine raises the risk that future variants could wipe writable files or otherwise sabotage developer and build environments.

Why This Matters to Build Teams

This campaign did not rely on a single trick. It combined typo-squatting, credential theft, GitHub Actions abuse, Git hook persistence, AI toolchain poisoning, and multi-channel exfiltration to move across the development lifecycle. For DevOps and DevSecOps teams, the lesson is that software supply chain security now depends on controlling build-time behavior, not just scanning code and dependencies before or after the build.

What Build and Security Teams Should Review

This campaign is a reminder that modern supply chain attacks can move across multiple layers of the development lifecycle, from package installation to CI execution to AI-assisted tooling. Security teams should review how they validate newly published packages, control outbound build-time network access, protect secrets in CI/CD environments, and govern AI coding integrations such as MCP-connected tools.

How InvisiRisk Helps Reduce Exposure

Defense 1 — Blocking Unauthorized Actions

InvisiRisk Build Application Firewall (BAF) runs in line with the build process, between source retrieval and artifact publication. It monitors outbound network activity and can block suspicious destinations, newly created repositories, or policy-violating requests before sensitive data leaves the build environment.

Defense 2 — Secret Exfiltration Detection

Because it observes build-time traffic in real time, InvisiRisk can help identify suspicious outbound transfers associated with credential theft or exfiltration. That gives teams a chance to stop or investigate activity during the build rather than discovering it after compromised artifacts or leaked secrets have already moved downstream.

Defense 3 — Stability Buffer Period

InvisiRisk can enforce a delay window before newly published npm versions are allowed into the build pipeline. A policy that blocks packages published within a defined cooling-off period can reduce exposure to malicious versions that appear suddenly and are removed only after the first wave of victims.

Warning: Attacks Are Getting More Sophisticated

SANDWORM_MODE is best understood as part of a broader pattern, not a one-off anomaly. Recent campaigns such as Shai-Hulud and related npm compromises show that attackers are increasingly targeting build systems, package ecosystems, CI/CD workflows, and now AI-assisted development tooling. The result is a larger and more dynamic software supply chain attack surface than many organizations still assume.

Talk with an InvisiRisk account manager about your CI/CD pipeline security posture.