SANDWORM_MODE: Malicious npm Cluster Automates Secret Harvesting and Crypto Theft

Campaign Overview

Security researchers at Socket have documented an active supply chain campaign codenamed SANDWORM_MODE. This operation utilizes a cluster of at least 19 malicious npm packages designed to function as a supply chain worm. The primary objective is the automated exfiltration of sensitive credentials, including environment variables, Continuous Integration (CI) secrets, and private keys for various cryptocurrency wallets.

Technical Analysis and TTPs

The SANDWORM_MODE campaign demonstrates technical lineage with previous ‘Shai-Hulud’ attack waves, utilizing similar obfuscation and distribution techniques. The malicious payloads are typically embedded within the package installation scripts (e.g., preinstall or postinstall hooks) or hidden within deeply nested dependency trees to evade static analysis.

Data Exfiltration Targets

The malware targets a broad range of sensitive data points across the development lifecycle:

• CI/CD Environment Variables: Automated extraction of secrets from GitHub Actions, GitLab CI/CD, and Jenkins environments.
• Cloud Provider Credentials: Targeted harvesting of AWS, Azure, and GCP access keys stored in local configuration files.
• API Tokens: Scanning for .env files containing Slack, SendGrid, and Stripe tokens.
• Cryptocurrency Keys: Identification and theft of mnemonic phrases and private keys for browser-based and desktop wallet extensions.

Worm-like Propagation

A notable characteristic of this campaign is its attempt to propagate through the developer’s local environment. The malicious code attempts to identify other package.json files on the host system to inject its malicious dependencies, effectively turning infected developer workstations into vectors for wider supply chain compromise. Implementing rigorous infrastructure scanning with Pocket Pentest can assist security teams in identifying exposed CI/CD configurations and unsecured development environments prone to these harvesting techniques.

Mitigation and Recommendations

To mitigate the risks associated with the SANDWORM_MODE campaign, organizations should implement the following technical controls:

• Dependency Pinning: Use package-lock.json or yarn.lock to ensure consistent dependency resolution and prevent the automatic pull of malicious updates.
• Script Execution Restrictions: Configure package managers to disable script execution by default using --ignore-scripts where possible.
• Secret Masking: Ensure that all CI/CD pipelines use secret masking and rotation policies to limit the lifespan of any potentially compromised tokens.
• SCA Implementation: Utilize Software Composition Analysis (SCA) tools capable of behavioral analysis rather than simple signature-based lookups to detect anomalous network calls during package installation.