Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens
Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens
23 February 2026
Cybersecurity researchers have disclosed what they say is an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft.
The campaign has been codenamed SANDWORM_MODE by supply chain security company Socket. As with prior Shai-Hulud attack waves, the malicious code embedded