Malicious npm packages harvest crypto keys and secrets

English

Nineteen malicious packages on the npm registry are spreading a worm known as SANDWORM_MODE. These packages steal crypto keys, CI secrets, API tokens, and AI API keys. The theft occurs through MCP injection.

Security researchers have identified 19 malicious npm packages that are actively harvesting sensitive information from developers' systems. According to reports, these packages propagate a worm called SANDWORM_MODE, which targets crypto keys, continuous integration (CI) secrets, API tokens, and AI API keys.

The malicious software employs MCP injection as its primary method to extract and exfiltrate this data. npm, the popular package manager for JavaScript and Node.js, serves as the distribution platform for these threats, potentially compromising developers who install the affected packages unknowingly.

This incident highlights ongoing risks in open-source software ecosystems, where supply chain attacks can lead to widespread data breaches. No specific details on the exact names of the 19 packages or the total number of affected users were provided in the available information.

Developers are advised to review their dependencies and use tools to scan for vulnerabilities in npm packages to mitigate such risks.

Related Articles

Illustration of a developer's desk with a computer screen showing malicious npm packages stealing credentials across platforms, highlighting cybersecurity risks.
Image generated by AI

Malicious npm packages steal developer credentials on multiple platforms

Reported by AI Image generated by AI

Ten typosquatted npm packages, uploaded on July 4, 2025, have been found downloading an infostealer that targets sensitive data across Windows, Linux, and macOS systems. These packages, mimicking popular libraries, evaded detection through multiple obfuscation layers and amassed nearly 10,000 downloads. Cybersecurity firm Socket reported the threat, noting the packages remain available in the registry.

React2Shell exploits continue with large-scale Linux backdoor deployments and cloud credential theft

Ongoing exploitation of the React2Shell vulnerability (CVE-2025-55182)—previously detailed in coverage of China-nexus and cybercriminal campaigns—now includes widespread Linux backdoor installations, arbitrary command execution, and large-scale theft of cloud credentials.

Attackers hijack Linux Snap Store apps to steal crypto phrases

Reported by AI

Cybercriminals have compromised trusted Linux applications on the Snap Store by seizing expired domains, allowing them to push malware that steals cryptocurrency recovery phrases. Security experts from SlowMist and Ubuntu contributor Alan Pope highlighted the attack, which targets established publisher accounts to distribute malicious updates impersonating popular wallets. Canonical has removed the affected snaps, but calls for stronger safeguards persist.

Linux

React2Shell flaw exploited for PeerBlight malware on Linux

Linux

Researchers discover SSHStalker botnet infecting Linux servers

Technology

Russian hackers exploit Microsoft Office vulnerability days after patch

New SysUpdate malware variant targets Linux systems

A new variant of the SysUpdate malware has been discovered targeting Linux systems, featuring advanced encryption for command-and-control communications. Security researchers at LevelBlue identified the threat during a digital forensics engagement and developed a tool to decrypt its traffic. The malware disguises itself as a legitimate system service to evade detection.

North Korean hackers exploit maximum severity React2Shell flaw

Reported by AI

North Korean hackers have begun exploiting a critical vulnerability known as React2Shell in malware attacks. This follows similar actions by Chinese hackers, indicating a growing interest in this security flaw. The issue poses significant risks to affected systems.

Rust-based Luca stealer targets Linux and Windows systems

Threat actors are shifting from traditional languages like C and C++ to modern ones such as Rust, enabling cross-platform malware development. A new Rust-based information stealer called Luca has emerged, released openly to the public. This development highlights growing use of Rust in malware, posing new challenges for cybersecurity defenders.

Fake Chrome AI extensions targeted over 300,000 users

Reported by AI

Criminals have distributed fake AI extensions in the Google Chrome Web Store to target more than 300,000 users. These tools aim to steal emails, personal data, and other information. The issue highlights ongoing efforts to push surveillance software through legitimate channels.

February 19, 2026 13:36

Researchers uncover new SysUpdate malware variant targeting Linux

February 10, 2026 19:39

New Linux botnet SSHStalker uses IRC for command-and-control

February 05, 2026 15:05

Critical flaws discovered in n8n workflow tool

January 27, 2026 06:48

Zombie domains expose Snap Store to supply chain attacks

January 24, 2026 21:25

Wiper malware targets Poland's energy grid but causes no blackout

January 22, 2026 03:56

Malicious PyPI package impersonates SymPy to deploy XMRig miner

January 21, 2026 09:23

Anthropic's Git MCP server revealed security flaws

December 13, 2025 23:54

China-nexus groups and cybercriminals ramp up React2Shell exploits

November 05, 2025 22:25

Russian hackers use Linux VMs to hide malware on Windows

October 27, 2025 10:24

Qilin ransomware deploys Linux binaries against Windows systems

 

 

 

This website uses cookies

We use cookies for analytics to improve our site. Read our privacy policy for more information.
Decline