Typosquatting campaign targets npm, CI pipelines, and AI‑driven development

Threat summary

In mid-February 2026, researchers detailed a supply-chain attack involving at least 19 malicious Node Package Manager (npm) packages impersonating popular developer utilities and artificial intelligence (AI) coding tools.

npm and GitHub removed the malicious packages and related infrastructure following coordinated disclosure.

The campaign, tracked as SANDWORM_MODE, introduces new techniques for compromising continuous integration (CI) workflows and machine-assisted coding environments. The worm targets high-traffic Node.js utilities, cryptocurrency tooling, and AI coding assistants, including impersonations of Claude Code and OpenClaw.

The campaign relied on packages with typosquatted and lookalike names to resemble widely used tools and libraries. It also introduces AI toolchain poisoning, where the malware deploys a malicious Model Context Protocol (MCP) server on systems that install one of the malicious packages.

Once present, the MCP server uses embedded prompt-injection techniques to influence AI assistants that interact through MCP, enabling the harvesting of Secure Shell keys, cloud credentials, npm tokens, and environment secrets without user awareness. This creates a new path for credential theft by leveraging emerging AI-driven development workflows rather than relying solely on traditional developer or CI environments

The threat actor builds on techniques used in the 2025 Shai-Hulud campaign, including multistage execution, credential harvesting, and automated propagation across developer and CI environments. The worm executes immediately in CI environments and uses a 48 to 96-hour activation delay on developer machines to evade short-duration sandbox analysis.

Analysis & recommendations

SANDWORM_MODE shows that ecosystems where packages execute code during installation, integrate with developer tooling, or interact with AI assistants create opportunities for threat actors.

The exploitation relies on accidental installation of typosquatting packages, which is not technically complex. Typosquatting remains a low-effort, high-return technique because it relies on human error and automated build systems rather than exploiting flaws.

As long as public registries allow open publishing and developers rely on automated dependency installation, threat actors will continue to introduce malicious packages that trigger execution in CI environments or on developer endpoints.

Organizations can reduce exposure by enforcing strict dependency controls, including pinning versions, using private registries, and enabling provenance and trusted publishing features offered by npm. Rotating npm and GitHub tokens, enforcing least-privilege scopes, and adopting OpenID Connect-based CI publishing workflows limit the impact of stolen credentials. Reviewing repositories for unauthorized workflow files, unexpected MCP server entries, and modified git hooks reduces risk.

CI environments benefit from restricting outbound network access, monitoring for anomalous GitHub API activity, and validating workflow changes. Developer endpoints benefit from auditing AI assistant configurations for unauthorized MCP entries and removing hidden directories created by malicious packages.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up