Phoenix Security — SANDWORM_MODE npm worm poisons AI toolchains
AI relevance: The worm explicitly injects rogue MCP servers into AI coding assistants, turning agent toolchains into credential-exfiltration paths.
- Phoenix Security tracks a Shai‑Hulud-style npm worm dubbed SANDWORM_MODE that published at least 19 malicious packages under two aliases.
- The packages execute on import to steal npm, GitHub, CI, crypto, and LLM API credentials, then pivot through developer and CI environments.
- Stage‑2 behavior includes GitHub Actions workflow poisoning, global git hook persistence, and dependency injection into package.json / lockfiles.
- The campaign targets AI toolchains by injecting a rogue MCP server into assistants like Claude Code, Cursor, Continue, and Windsurf.
- Once injected, the assistant is prompted to read files like
~/.ssh/id_rsa,~/.aws/credentials, and.env, then pass them as tool context. - The report warns there are no safe versions for the listed packages and recommends full purge + credential rotation.
- Check Point’s weekly bulletin links the same worm narrative and highlights MCP injection as a key exfiltration vector.
Why it matters
- This is a direct example of AI toolchain supply‑chain compromise where a package infection cascades into agent‑driven data theft.
- MCP injection turns “helpful” assistants into privileged data brokers, bypassing traditional endpoint controls.
What to do
- Hunt for the listed packages in SBOMs and lockfiles; remove and purge node_modules if present.
- Rotate all developer and CI secrets that could be accessed from affected machines.
- Lock down agent toolchains: require allowlisted MCP servers, pin packages, and disable auto‑tool installation.
- Monitor outbound MCP traffic for unexpected tool registrations or exfiltration-style requests.