Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Hold up, devs — your npm dependencies just got weaponized. Security researchers just exposed 19 malicious npm packages that are straight-up harvesting crypto keys, CI/CD secrets, and AI API tokens. This isn't just another supply chain attack — it's a full-blown credential heist.

The packages are spreading something called SANDWORM_MODE worm via MCP (Model Context Protocol) injection. Translation: they're hijacking your VS Code extensions and stealing everything from GitHub tokens to OpenAI API keys. If you're running any CI/CD pipelines, your secrets are on the menu too.

Here's what these packages are grabbing: crypto wallet private keys, CI/CD secrets from GitHub Actions and Jenkins, API tokens for OpenAI and other AI services, SSH keys, and basically any credential they can find in your environment variables. This is next-level supply chain warfare.

The attack works by injecting malicious code through the Model Context Protocol, which is used by VS Code extensions. Once installed, these packages scan your system for credentials and exfiltrate them to attacker-controlled servers. This isn't just theoretical — these packages have already been downloaded by unsuspecting developers.

If you're working with any sensitive credentials (and let's be real, who isn't?), you need to audit your dependencies NOW. Check your package.json, review your node_modules, and verify you haven't installed any of these malicious packages. This is why dependency scanning isn't just nice-to-have — it's essential security hygiene.