Malicious npm Packages Harvest Crypto Keys and API Tokens in SANDWORM_MODE Campaign

Cybersecurity researchers identified an active supply chain worm campaign, codenamed SANDWORM_MODE, leveraging at least 19 malicious npm packages to harvest credentials, cryptocurrency keys, and API tokens. The campaign was disclosed by supply chain security company Socket and compared to prior "Shai-Hulud" attack waves due to its self-propagating nature. No specific dates, CVE IDs, or targeted organizations were mentioned in the available details. The attack focuses on stealing sensitive data from compromised systems, including continuous integration (CI) secrets. The malicious code is embedded within the npm packages, enabling automated credential theft.