SANDWORM_MODE npm Worm Now Injects Malicious MCP Servers into AI Coding Agents

blackorbirdblackorbird

· Updated

Socket's threat research uncovered SANDWORM_MODE, an active npm worm that targets AI coding assistants via MCP server injection. Installing one of 19 malicious typosquatted packages gives attackers a foothold that feeds hostile instructions to tools like Claude Code and Cursor.

SANDWORM_MODE is an active npm supply chain worm tracked by Socket's threat research team across at least 19 malicious packages under two npm aliases. When a developer installs one, the package steals credentials, injects a hidden malicious MCP server into their home directory, and poisons GitHub Actions workflows - propagating through any repos the developer can access.

The MCP injection is the new attack surface. The malicious server registers itself with AI coding agents and can push hostile prompt injections into tools like Claude Code or Cursor, manipulating the agent's behavior during sessions. Packages impersonate popular tools via typosquatting (e.g., suport-color for supports-color), making them easy to install by mistake.

Socket has petitioned npm to remove the packages and linked publisher aliases. Check your package.json dependencies against the Indicators of Compromise list in Socket's report.

blackorbird
blackorbird
@blackorbird
X

MCP Server Injection The payload exports a dedicated McpInject module that targets AI coding assistants. It first generates a randomized developer-sounding name from word pools (e.g., dev-utils, node-analyzer) and creates a hidden directory in the user’s home (e.g., ~/.dev-utils/), then writes a malicious MCP server into it. ref: SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains https://t.co/nkLEl5jO47

4retweets
View on X

Every HeadsUpAI update is written based on its original source and reviewed before it's published. Read our editorial standards →

Share this update