New "SANDWORM_MODE" NPM Supply Chain Worm Targets AI Coding Tools and CI Pipelines Globally

Researchers uncover a "Shai-Hulud" NPM worm targeting Claude Code and OpenClaw. The SANDWORM_MODE malware harvests secrets and features a home directory wiper.

By: AXL Media

Published: Feb 26, 2026, 3:59 AM EST

Source: The information in this article was sourced from CSO Online

The Transaction or Development

The software development community is facing a critical supply chain threat following the discovery of at least 19 typosquatted packages on the npm registry. This "Shai-Hulud-style" worm, identified by researchers as SANDWORM_MODE, is engineered to burrow deep into developer environments, continuous integration (CI) pipelines, and increasingly popular AI-driven coding assistants. By posing as legitimate utilities, the malware initiates a multi-stage payload that transitions from simple credential harvesting to active repository takeover, effectively turning infected machines into vectors for further propagation.

Regulatory and Competitive Landscape

The campaign specifically exploits the rapid adoption of AI coding tools, targeting users of Claude Code and OpenClaw, the latter of which recently gained significant traction on GitHub. Security analysts suggest that the attackers are banking on "AI hallucinations"—where automated coding assistants suggest non-existent or misspelled dependencies—to trick developers into installing the malicious code. While npm has recently implemented stricter controls, such as mandatory two-factor authentication and scoped tokens, the effectiveness of these measures remains dependent on how quickly individual maintainers adopt these hardened security protocols.

Strategic Rationale and Market Impact

The SANDWORM_MODE campaign is notable for its sophisticated Model Context Protocol (MCP) server injection. By embedding itself as a trusted component within an AI assistant’s environment, the malware can use prompt-injection techniques to manipulate the AI into exfiltrating local data, such as SSH keys or cloud credentials. This move signals a strategic shift in cyberattacks, moving beyond traditional lateral movement to "poisoning" the very interfaces that developers rely on for automated code generation and system management.