The open-source ecosystem is the backbone of modern software development, but it remains a prime target for adversaries. Researchers have recently uncovered an active and highly concerning supply chain attack targeting the npm (Node Package Manager) registry. Codenamed SANDWORM_MODE by supply chain security firm Socket, this campaign leverages a cluster of at least 19 malicious packages to perform credential harvesting, cryptocurrency key theft, and the exfiltration of critical CI/CD secrets.
This attack is not an isolated incident; it represents the resurgence of a "Shai-Hulud-like" worm—a self-propagating threat capable of moving through the software supply chain with voracity. For organizations relying on JavaScript and Node.js environments, the risk is immediate and severe.
The Anatomy of the Threat
The SANDWORM_MODE campaign is characterized by its use of typosquatting and dependency confusion. Attackers publish packages that mimic popular libraries or obscure utilities, tricking developers or automated build pipelines into installing them. Once installed, the malicious code executes immediately.
Attack Vector and TTPs
The primary vector in this campaign is the compromise of the development environment rather than the production runtime. The malicious code embedded in these packages is designed to search the file system for specific high-value assets:
- Cryptocurrency Wallets: Targeting files associated with wallets like MetaMask or private key files.
- CI/CD Secrets: Scanning for environment variables (
.envfiles), AWS credentials, and GitHub tokens that grant access to infrastructure. - API Keys: Harvesting keys for payment processors and third-party services.
The "worm" aspect refers to the malware's ability to propagate its reach. In previous "Shai-Hulud" attack waves, malicious code could potentially alter project configurations or infect other packages within the workspace, spreading the infection laterally across development teams.
Detection and Threat Hunting
Defending against supply chain attacks requires a shift from vulnerability scanning to behavioral monitoring. Security teams must assume that some dependencies may be malicious and hunt for anomalies rather than just known bad hashes.
1. Hunting for Suspicious npm Activity
Use the following Bash script to scan your node_modules directories for packages that were modified very recently (within the last 7 days) and contain network-related code, which is a common indicator of data exfiltration logic.
#!/bin/bash
# Scan node_modules for JS files modified in the last 7 days containing network requests
find node_modules -name "*.js" -mtime -7 -type f | while read file; do
if grep -qE "(http\.request|https\.request|fetch|axios|XMLHttpRequest)" "$file"; then
echo "[!] Suspicious recent activity found in: $file"
# Optional: output the first few lines of context
head -n 5 "$file"
fi
done
2. Microsoft Sentinel / Defender KQL Queries
Detecting the execution of these packages requires monitoring process creation and network connections initiated by Node.js. The following KQL query looks for Node processes making outbound network connections to non-corporate IP addresses or suspicious TLDs, specifically targeting processes that run immediately after a package installation.
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("npm.cmd", "node.exe", "yarn.cmd")
| where ProcessCommandLine contains "install" or ProcessCommandLine contains "postinstall"
| join kind=inner (
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "node.exe"
| project DeviceId, Timestamp, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine
) on DeviceId, Timestamp
| where RemoteUrl !contains "registry.npmjs.org"
and RemoteUrl !contains "your-corporate-domain.com"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc
| take 50
3. Python Script for Dependency Auditing
Automate the review of your package-lock. against a known list of malicious package hashes or names. This Python script provides a basic framework for scanning your lock files.
import
import hashlib
import requests
def check_package_malicious(package_name, version):
# In a real scenario, query an internal threat intel feed or OSV
# Here is a placeholder for the logic
known_malicious = ["malicious-pkg-example", "suspicious-utils"]
return package_name in known_malicious
def audit_lockfile(filepath):
with open(filepath, 'r') as f:
data = .load(f)
dependencies = data.get('dependencies', {})
for pkg, info in dependencies.items():
if check_package_malicious(pkg, info.get('version')):
print(f"[ALERT] Malicious package found: {pkg}")
else:
print(f"[OK] Scanned {pkg}")
if __name__ == "__main__":
audit_lockfile("package-lock.")
Mitigation Strategies
Stopping the SANDWORM_MODE campaign requires a layered defense strategy that combines policy, technology, and developer education.
1. Implement Private Registries
Stop pulling packages directly from the public npm registry. Use a private registry (such as Artifactory, Nexus, or Verdaccio) that acts as a proxy. This allows you to quarantine packages, run automated security scans before they reach your developers, and block specific versions retroactively.
2. Enforce Lockfile Integrity
Never commit package-lock. files to a repository that have been manually altered without review. Use tools like npm audit with strict exit codes in your CI/CD pipeline to fail builds if high-severity vulnerabilities or malicious packages are detected.
3. Least Privilege for Build Agents
Ensure that CI/CD runners (Jenkins, GitHub Actions, GitLab CI) do not have unnecessary permissions. If a malicious package attempts to steal credentials, limiting the scope of the IAM role associated with the build agent reduces the blast radius. For example, build agents should not have write access to production databases.
4. Monitor for Environment Variable Access
Advanced EDR (Endpoint Detection and Response) tools can monitor for specific API calls that read process memory or environment variables. Configure alerts for processes that attempt to read .env files or access the OS credential manager immediately after execution.
Conclusion
The SANDWORM_MODE campaign is a stark reminder that the software supply chain is a battleground. The "Shai-Hulud" worm analogy is fitting—just as the creature moves beneath the surface unseen, these threats propagate through dependencies until they strike. By implementing strict registry controls and proactive threat hunting, Security Arsenal helps organizations stay ahead of these insidious attacks.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.