← Back to Blog

They Poisoned the AI Tools You Use Every Day. So We Built Something About It.

Jax Harlan ·

I wrote a few weeks ago about hackers already bein' on the water. About how the people buildin' exploits aren't waitin' for anyone's permission. They're movin'.

Well. They moved.

Socket's Threat Research Team just dropped one of the most comprehensive supply chain attack disclosures I've seen in 25 years of buildin' software. They're callin' it SANDWORM_MODE — a Shai-Hulud-style worm campaign spread across at least 19 malicious npm packages, published under two aliases, that doesn't just steal your credentials. It hijacks your CI pipelines. It poisons your AI coding tools. And it has a self-propagating worm loop that uses your identity to infect other developers.

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains — Socket.dev

Read it. All of it. Now let me break down the parts that matter most and what we built in response.

The Kill Chain

This ain't a smash-and-grab. This is a multi-stage, time-gated, environment-aware worm with fallback channels and an insurance policy for every phase.

Stage 0: The Loader

You install a typosquatted package — suport-color instead of supports-color, naniod instead of nanoid, hardhta instead of hardhat. Three packages impersonate Claude Code itself (claud-code, cloude, cloude-code). One targets OpenClaw, the AI agent that just passed 210k stars.

The package preserves the expected library behavior. Color detection still works. But buried in the source is a 167KB base64 blob that gets zlib-inflated, XOR-decrypted with a static 32-byte key, and executed via indirect eval(). Some variants split the payload across 45 base64 chunks disguised as config properties and execute entirely in memory via Node's Module._compile() — no file ever touches disk.

Stage 1: The Quiet Harvest

On import, the worm detects whether it's in CI (GITHUB_ACTIONS, GITLAB_CI, CIRCLECI, JENKINS_URL, BUILDKITE). In CI? Full payload fires immediately. On a developer machine? A jittered timeout of 5–30 seconds, then it starts collectin'. File reads only — quiet as a church mouse.

It grabs:

  • .npmrc tokens from home, cwd, and platform-specific paths
  • GitHub tokens (ghp_, gho_, github_pat_)
  • Environment variables matchin' KEY, SECRET, TOKEN, PASSWORD, CREDENTIAL, AUTH, or API
  • Crypto private keys, mnemonics, Solana keys, BTC WIF, xprv from config files

Stage 2: The 48-Hour Time Bomb

Stage 2 is AES-256-GCM encrypted inside Stage 1. It only decrypts after a 48-hour base delay plus up to 48 hours of per-machine jitter. Most automated security scanners run packages for minutes. By the time Stage 2 fires, the package has long since passed screening.

The Part That Should Terrify Every Developer

MCP Server Injection

The McpInject module generates a random developer-sounding name and creates a hidden directory in your home folder. It writes a malicious MCP server that registers innocuous-sounding tools with embedded prompt injections that silently read your SSH keys, AWS credentials, npm tokens, and environment secrets.

The module then injects this server into every AI coding assistant config it finds — Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf.

So We Built Something

When the Socket disclosure dropped, the team at Closed Circuit Inc. didn't write a think piece. We wrote code.

sandtrace is an open-source, lightweight developer-focused EDR built in Rust. It monitors credential access, supply chain attacks, and exfiltration on developer machines.

This week we shipped a direct response to SANDWORM_MODE — 865 new lines of detection logic and 80 tests passing, covering MCP config tampering, rogue MCP server detection, prompt injection patterns, git template poisoning, AI key exposure, and SANDWORM_MODE-specific typosquat detection.

Why Open Source

The developers gettin' hit by SANDWORM_MODE are indie devs, small teams, open source maintainers — people who don't have enterprise EDR budgets. They deserve tools that protect them. Free. Open. No strings.

What You Should Do Right Now

  1. Audit your MCP configs. Check your Claude, Cursor, Continue, and Windsurf settings for entries you didn't add.
  2. Check your git templates. Run git config --global init.templateDir and inspect any hooks.
  3. Check your npm dependencies. Audit for typosquatted packages.
  4. Run sandtrace. Clone it, build it, scan your machine.
  5. Rotate your tokens. If you've installed any uncertain npm package recently.
  6. Review your CI workflows. Look for unauthorized workflow files.

Stay sharp out there.

— Jax