Earlier this year, we asked our team where they expect open source cyberattacks to go next. Sonatype Principal Security Researcher Garrett Calpouzos shared his thoughts about how he anticipated attackers won't simply use automation, but also abuse victims' AI tools:
"With AI tooling now ubiquitous, future threats may even leverage a host's local AI environment to intelligently adapt their structure to the specific package being republished, significantly complicating static detection."
Recent disclosures prove Garrett's prediction correct.
Security researchers at Socket recently disclosed new, worm-like malware on npm dubbed SANDWORM_MODE that demonstrates how quickly attacker tradecraft evolves once a technique proves successful. This technique reinforces a troubling trend: open source malware is no longer opportunistic, but iterative.
SANDWORM_MODE is not simply another malicious package upload. It reflects the continued evolution of shai-hulud-style supply chain worms, and signals where we can expect attackers to continue focusing.
The Return of the npm Worm, With Refinement
The industry previously saw how a worm-like supply chain attack could unfold during the shai-hulud campaign and fallout, which we covered in depth.
Shai-hulud demonstrated attackers could compromise legitimate packages, infect developer environments, and automatically republish using maintainer credentials. It was more than just malware. It was a propagation model.
SANDWORM_MODE appears to follow this same general pattern, functioning as a shai-hulud-like self-replicating malware that leverages trusted publishing workflows to spread.
How SANDWORM_MODE Propagates
SANDWORM_MODE was distributed through a cluster of typosquatted npm packages that, once installed, harvested sensitive data from developer machines and CI environments.
The malicious code collected npm and GitHub tokens, environment variables, cryptographic keys, and API credentials, then used stolen identities to propagate into additional repositories and republish compromised packages. It also targeted CI/CD secrets and integrated into build workflows, increasing its ability to spread laterally.
Compared to earlier shai-hulud-style worms, SANDWORM_MODE expands on the model with broader credential harvesting and deeper abuse of developer tooling, amplifying both its reach and impact.
But what makes this moment significant is not just repetition, but rather refinement.
Adaptation Is the Threat Multiplier
Garrett's prediction did not focus solely on worm-like attacks. It emphasized something deeper: the role of AI and intelligent automation inside developer environments.
Modern development workflows now include AI-powered coding tools, automated build and publishing pipelines, local scripts and environment-specific configurations, and high levels of package interdependency. If malware gains access to that environment, it gains context.
In the case of SANDWORM_MODE, researchers observed code designed to call a local Ollama instance — effectively attempting to use the infected machine's own AI runtime to rewrite or transform portions of the malware. While this polymorphic capability was not executed in the observed samples, its presence reveals clear experimentation with AI-assisted mutation.
This type of self-replicating malware that can adapt its modifications to the structure, dependencies, or publishing workflow of a specific package represents a meaningful escalation.
Evolution of the Supply Chain Worm
Early analysis of the SANDWORM_MODE campaign reveals it targets modern developer environments. The malware spreads through typosquatted packages and steals credentials. It also uses a weaponized GitHub Action to steal CI/CD secrets, inject workflows, and install a rogue server to disrupt AI coding assistants and harvest keys.
The multi-stage payload modifies build artifacts and uses hooks to persist, showing sophisticated automation. Notably, the inclusion of polymorphic logic — even if dormant — suggests attackers are actively exploring how AI access on a compromised host could be used to dynamically alter malware structure, potentially making each infection slightly different from the last.
This experimentation aligns with a broader trend we've observed: a sharp escalation in open source malware that leverages automation and AI tooling. While highly adaptive, AI-driven polymorphism represents the sophisticated end of the spectrum, we are also seeing signs of the opposite extreme — low-effort, mass-generated packages that appear to be AI-written.
For example, recent campaigns have included clusters of oddly named npm packages with repetitive structure and subtle implementation errors characteristic of AI-generated code. These packages may not be technically advanced, but they illustrate how AI reduces the barrier to producing large volumes of unique malicious variants.
This marks a significant escalation in how supply chain malware exploits developer tools to hide and amplify its impact.
Why This Class of Malware Is Hard to Catch
Modern open source malware often evades detection because it isn't assigned a CVE, making it invisible to tools that rely on vulnerability databases. It can mutate quickly to bypass signature-based detection, and malicious logic is frequently hidden within legitimate package updates, allowing it to blend into trusted components and evade superficial scans.
In a shai-hulud-like worm scenario, the problem compounds:
-
The compromised package already has reputation and trust.
-
The malicious update appears to come from a legitimate maintainer.
-
The publishing activity can resemble normal automation.
-
The payload may vary slightly from package to package.
If attackers successfully leverage AI tooling to introduce minor structural rewrites on each infection, we could see a spike in trivially unique malware — variants that are functionally similar but structurally distinct enough to complicate static signatures.
Detection in this environment requires more than scanning for known bad code. It requires identifying integrity violations, anomalous publishing behavior, credential misuse, and subtle deviations from expected package evolution.
Sonatype's Detection and Protection
Although Sonatype did not discover SANDWORM_MODE, our security research team analyzed the campaign shortly after disclosure.
We can confirm:
-
Our Release Integrity capability detected all known instances associated with this attack.
-
The internal vulnerability identifier assigned to this campaign is sonatype-2026-000542.
-
Release Integrity flagged affected components, including early detection of several packages and subsequent coverage of all known variants as they were disclosed and removed from npm.
Adaptive supply chain worms demand integrity-based, behavior-aware analysis, not just vulnerability lookups.
When malware spreads by abusing trust, trust itself must be continuously validated.
The Expanding Attack Surface: Developers and Their Toolchains
SANDWORM_MODE reinforces that developers' local environments are now primary targets.
When attackers compromise maintainer credentials, local publishing workflows, automation scripts, or AI-assisted development environments, they gain far more than isolated access points. They inherit the trust, scale, and automation built into modern software delivery.
By embedding themselves within these trusted systems, adversaries can silently manipulate packages, trigger automated releases, and propagate malicious updates through legitimate channels, all while appearing to operate as an authorized contributor.
Shai-hulud proved that wormable supply chain attacks are feasible. SANDWORM_MODE shows they are repeatable. AI-assisted experimentation hints that the next generation may be adaptive by design.
We are entering an era where open source ecosystems function as programmable attack surfaces, and attackers learn to operate inside them with growing sophistication.
From Reactive Defense to Continuous Governance
The lesson is not simply to "scan dependencies" but to continuously verify the integrity of the software supply chain.
Organizations need the ability to:
-
Detect malicious modifications within trusted packages.
-
Identify anomalous publishing behavior in real time.
-
Evaluate contextual risk before components enter development pipelines.
-
Enforce governance policies consistently across teams.
-
Deliver curated security intelligence directly to developers.
Without this shift, defenders remain reactive to disclosures rather than resilient against evolving worm behavior.
Moving Forward with Sonatype Guide
As supply chain worms become more adaptive and automated, security programs must evolve just as quickly.
Sonatype Guide provides curated, real-time intelligence on open source risk — including malware campaigns, supply chain threats, and emerging worm patterns like SANDWORM_MODE — directly to developers and security teams.
Instead of responding after public disclosure, organizations can:
-
Proactively block malicious open source components.
-
Apply policy controls aligned with risk tolerance.
-
Reduce exposure to compromised packages.
-
Empower developers with contextual intelligence, not just alerts.
Open source malware is no longer static. Shai-hulud demonstrated the worm model. SANDWORM_MODE represents its continued evolution.
The next phase — intelligent adaptation inside developer environments — is no longer hypothetical. The question now is whether defenders will evolve at the same pace.
Written by Sonatype Security Research Team
Sonatype's Security Research Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.
Tags
