{"id":43875,"date":"2026-02-24T01:55:59","date_gmt":"2026-02-23T17:55:59","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/24\/shai-hulud-like-worm-targets-developers-via-npm-and-ai-tools-infosecurity-magazine\/"},"modified":"2026-02-24T01:55:59","modified_gmt":"2026-02-23T17:55:59","slug":"shai-hulud-like-worm-targets-developers-via-npm-and-ai-tools-infosecurity-magazine","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/24\/shai-hulud-like-worm-targets-developers-via-npm-and-ai-tools-infosecurity-magazine\/","title":{"rendered":"Shai-Hulud-Like Worm Targets Developers via npm and AI Tools &#8211; Infosecurity Magazine"},"content":{"rendered":"<p>A supply chain worm resembling earlier<a href=\"https:\/\/www.infosecurity-magazine.com\/news\/supply-chain-worm-hundreds-npm\/\" style=\"text-decoration:none;\" target=\"_blank\"> Shai-Hulud malware<\/a> has been discovered spreading through malicious npm packages.<\/p>\n<p>According to Socket&#39;s Threat Research Team, the campaign, tracked as SANDWORM_MODE, has been identified across at least 19 npm packages published under two aliases, official334 and javaorg.<\/p>\n<p>The operation builds on known supply chain tradecraft but adds a notable twist: direct interference with AI coding tools.<\/p>\n<p>Researchers said the malware not only stole developer and CI credentials and propagated&nbsp;through compromised npm and GitHub accounts, but also injected&nbsp;rogue MCP servers into local AI assistant configurations and harvested&nbsp;API keys for nine large language model providers.<\/p>\n<h2><strong>AI Tooling And Typosquatting Strategy<\/strong><\/h2>\n<p>The worm primarily spread&nbsp;through <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/typosquatting-repojacking-tactics\/\" target=\"_self\">typosquatting <\/a>packages that impersonated widely used Node.js libraries and emerging AI development tools.<\/p>\n<p>One example, suport-color@1.0.1, mimicked&nbsp;the legitimate supports-color package while preserving its expected behavior. Behind the scenes, it executed&nbsp;a concealed, multi-stage payload when imported.<\/p>\n<p>Among the targets were tools linked to Claude Code and <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/malicious-crypto-trading-skills\/\" target=\"_self\">OpenClaw<\/a>, the latter having recently surpassed 210,000 stars on GitHub.<\/p>\n<p>The malware deployed&nbsp;a hidden MCP server into configurations for AI assistants such as Claude Desktop, Cursor, VS Code Continue and Windsurf. Embedded prompt injections instructed the assistant to quietly collect&nbsp;SSH keys, AWS credentials, npm tokens and environment variables containing secrets.<\/p>\n<h2><strong>Multi-Stage Worm With CI Focus<\/strong><\/h2>\n<p>The payload used&nbsp;layered obfuscation techniques including base64 encoding, zlib compression and AES-256-GCM encryption.<\/p>\n<p>Stage 1 immediately harvested&nbsp;credentials and exfiltrates discovered crypto keys within seconds of installation.<\/p>\n<p>Stage 2, delayed by 48 to 96 hours on developer machines but triggered instantly in CI environments, performed&nbsp;deeper harvesting and initiated&nbsp;propagation.<\/p>\n<p>Exfiltration attempts followed a three-channel cascade:<\/p>\n<ul>\n<li>\n<p>HTTPS POST requests to a Cloudflare Worker endpoint<\/p>\n<\/li>\n<li>\n<p>Uploads to attacker-controlled private GitHub repositories<\/p>\n<\/li>\n<li>\n<p>DNS tunneling using a domain generation algorithm fallback<\/p>\n<\/li>\n<\/ul>\n<p>The worm could propagate by publishing infected npm packages, modifying repositories via the GitHub API and, if necessary, pushing changes through SSH.<\/p>\n<p>Socket said it notified npm, GitHub and Cloudflare before publishing its findings. Cloudflare reportedly disabled associated infrastructure, npm removed the malicious packages and GitHub dismantled related repositories.<\/p>\n<p>Developers who installed the affected packages are urged to rotate credentials and review repositories and CI workflows for unauthorized modifications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A supply chain worm resembling earlier Shai-Hulud malwa [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-43875","post","type-post","status-publish","format-standard","hentry","category--infosecurity-magazine"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43875"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43875\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}