Malicious npm packages harvest crypto keys and secrets

Norsk Bokmål

Nineteen malicious packages on the npm registry are spreading a worm known as SANDWORM_MODE. These packages steal crypto keys, CI secrets, API tokens, and AI API keys. The theft occurs through MCP injection.

Security researchers have identified 19 malicious npm packages that are actively harvesting sensitive information from developers' systems. According to reports, these packages propagate a worm called SANDWORM_MODE, which targets crypto keys, continuous integration (CI) secrets, API tokens, and AI API keys.

The malicious software employs MCP injection as its primary method to extract and exfiltrate this data. npm, the popular package manager for JavaScript and Node.js, serves as the distribution platform for these threats, potentially compromising developers who install the affected packages unknowingly.

This incident highlights ongoing risks in open-source software ecosystems, where supply chain attacks can lead to widespread data breaches. No specific details on the exact names of the 19 packages or the total number of affected users were provided in the available information.

Developers are advised to review their dependencies and use tools to scan for vulnerabilities in npm packages to mitigate such risks.

Relaterte artikler

Illustration depicting hackers hijacking Linux Snap Store apps to steal cryptocurrency recovery phrases, featuring a compromised Ubuntu laptop and digital seed phrase theft.
Bilde generert av AI

Attackers hijack Linux Snap Store apps to steal crypto phrases

Rapportert av AI Bilde generert av AI

Cybercriminals have compromised trusted Linux applications on the Snap Store by seizing expired domains, allowing them to push malware that steals cryptocurrency recovery phrases. Security experts from SlowMist and Ubuntu contributor Alan Pope highlighted the attack, which targets established publisher accounts to distribute malicious updates impersonating popular wallets. Canonical has removed the affected snaps, but calls for stronger safeguards persist.

Researchers uncover leaked API keys on nearly 10,000 websites

Researchers analyzing 10 million web pages have identified 1,748 active API credentials from 14 major providers exposed across nearly 10,000 websites, including those run by banks and healthcare providers. These leaks could enable attackers to access sensitive data or gain control over digital infrastructure. Nurullah Demir of Stanford University described the issue as very significant, affecting even major companies.

Critical flaws discovered in n8n workflow tool

Rapportert av AI

Security researchers have uncovered critical vulnerabilities in the n8n automation tool. A previously released patch failed to fully address the issues, leaving users exposed. Experts provide guidance on protecting systems amid these discoveries.

Linux

New SysUpdate malware variant targets Linux systems

Linux

New Linux botnet SSHStalker uses IRC for command-and-control

Teknologi

Wiper malware targets Poland's energy grid but causes no blackout

Researchers uncover new SysUpdate malware variant targeting Linux

Researchers at LevelBlue have identified a new variant of the SysUpdate malware aimed at Linux systems during a digital forensics and incident response engagement. The malware disguises itself as a legitimate system service and employs advanced encryption for command-and-control communications. By reverse-engineering it, the team created tools to decrypt its traffic more quickly.

Fake Chrome AI extensions targeted over 300,000 users

Rapportert av AI

Criminals have distributed fake AI extensions in the Google Chrome Web Store to target more than 300,000 users. These tools aim to steal emails, personal data, and other information. The issue highlights ongoing efforts to push surveillance software through legitimate channels.

Anthropic's Claude Code CLI source code leaks online

Anthropic's Claude Code command line interface source code has leaked online after a packaging error in a recent release. The incident exposed over 512,000 lines of code from nearly 2,000 TypeScript files. The company described it as human error with no sensitive data involved.

AI uncovers high-severity bug in Ethereum's Nethermind software

Rapportert av AI

A crypto security firm used artificial intelligence to detect a high-severity bug in Nethermind, an Ethereum client used by nearly 40% of validators. The flaw, which could have disrupted network operations, was fixed before exploitation. This development highlights AI's growing role in cybersecurity amid recent concerns over AI-generated code vulnerabilities.

torsdag, 19. mars 2026, 22:25

Duet Night Abyss launcher spreads malware on Steam

onsdag, 18. mars 2026, 03:20

Infostealers Disguised as Claude Code, OpenClaw, and Other AI Tools

torsdag, 26. februar 2026, 01:40

The hacker news publishes weekly threatsday bulletin

tirsdag, 17. februar 2026, 10:18

OpenClaw AI agents targeted by infostealer malware for first time

lørdag, 14. februar 2026, 06:39

SSHStalker botnet uses IRC to target Linux servers

onsdag, 11. februar 2026, 00:43

Researchers discover SSHStalker botnet infecting Linux servers

onsdag, 4. februar 2026, 19:25

Russian hackers exploit Microsoft Office vulnerability days after patch

onsdag, 4. februar 2026, 10:58

More than 40,000 WordPress sites affected by malware flaw

tirsdag, 27. januar 2026, 06:48

Zombie domains expose Snap Store to supply chain attacks

torsdag, 22. januar 2026, 03:56

Malicious PyPI package impersonates SymPy to deploy XMRig miner

 

 

 

Dette nettstedet bruker informasjonskapsler

Vi bruker informasjonskapsler for analyse for å forbedre nettstedet vårt. Les vår personvernerklæring for mer informasjon.
Avvis