How a Dune inspired malware family is redefining the future of supply chain attacks
Overview
- What Is a Self-Propagating Supply Chain Worm?
- Overview
- Timeline
- s1ngularity (August 2025)
- Shai-Hulud 1.0 (September 2025)
- Shai-Hulud 2.0 (November 2025)
- Shai-Hulud 3.0 (December 2025)
- SANDWORM_MODE - AI Assistants Become Targets
- Why This Marks a New Beginning
2025 was a particularly bad year for the JavaScript world. Not counting other attacks that had also targeted the popular programming language, 3 campaigns inspired by the sci-fi series Dune in the span of 6 months have targeted the npm package registry, which is essentially a digital library of pre-made "building blocks" that almost every website and app uses. These campaigns have collectively sparked and defined a new and dangerous class of malware: self-propagating supply chain worms.
What Is a Self-Propagating Supply Chain Worm?
A software supply chain attack compromises a package or tool that developers already trust, so malicious code reaches victims through software they installed themselves. Most supply chain attacks stop there. A package gets poisoned, developers who install it get hit, and the infection ends.
A supply chain worm expands on this by automatically replicating itself, dramatically increasing the blast radius. When it runs on a developer's machine, it typically harvests credentials and developer secrets like npm tokens, OpenAI tokens, GitHub tokens, SSH keys, AWS credentials, crypto keys, and other sensitive environmental secrets. It then uses those credentials to automatically publish malicious packages from the developer's account, meaning that it self-propagates through packages the victim maintains. Each newly infected maintainer becomes a "point of spread." One compromised account can turn into hundreds of poisoned packages within hours, since many packages depend on one another.
npm's scale makes this especially dangerous. The JavaScript package registry serves billions of downloads each week. Developers install packages from other trusted developers. When a worm republishes its malicious payload under a legitimate maintainer's name, there are no obvious red flags, which makes the worm even more destructive.
Executive Summary
The shift began with the August 2025 s1ngularity supply chain attack on Nx, which is an AI driven platform that optimizes developer workflows. This was the trigger that led to the development of self-propagating supply chain worms, and the consequent Dune inspired malware family that references the giant "Shai-Hulud" sandworm, most recently culminating in SANDWORM_MODE in February 2026. Each subsequent iteration has shown escalating complexity by improving persistence, refining propagation methods, and, most recently, targeting AI coding tools as an attack vector.
The most severe escalation to date was the introduction of Model Context Protocol (MCP) server and prompt injection, alongside a technique called slopsquatting in SANDWORM_MODE. While researchers neutralized this campaign before it reached hundreds of packages like its predecessor, Shai-Hulud 2.0, the implications are still significant. It shows the fact that attackers are no longer focused on poisoning small supply chains and stealing credentials; they are now expanding their blast radius by targeting the new AI tools that developers increasingly rely on.
Timeline
Campaign Timeline
August 26, 2025: s1ngularity discovered (Nx build system, 3.5M weekly downloads)
September 15 - 17, 2025: Shai-Hulud 1.0 (180–526 packages compromised)
November 24 - December 2025: Shai-Hulud 2.0 (~700 packages: pre-install hook, dead switch)
December 29, 2025: Shai-Hulud 3.0 spotted
February 20, 2026: SANDWORM_MODE neutralized & disclosed by Socket Research Team
s1ngularity (August 2025)
On August 26, 2025, a malicious version of the Nx build system appeared on npm. Hidden inside was a script designed to sweep developer machines for secrets: GitHub tokens, npm tokens, SSH keys, cryptocurrency wallets, .env files, etc.
The malware encoded stolen data in double and triple-base64, and exfiltrated it by creating public GitHub repositories under the victim's own account, named s1ngularity-repository-n, which masks any traces of the originating threat actor. Thousands of users had credentials publicly exposed in an eight-hour window before GitHub intervened. By the end of the campaign, more than 5,500 private repositories across 400 organizations had been made public.
s1ngularity was not a worm like the following campaigns that will be covered. It did not republish packages or spread itself. What it did was load the gun: the GitHub and npm tokens it harvested were exactly the credentials needed to launch a propagating worm 3 weeks later.
Impact
s1ngularity directly exposed the GitHub and npm credentials used to launch the Shai-Hulud worms that followed. By the end of this attack, more than 5,500 private repositories across 400 organizations were made public. While no direct dollar figure has been attributed to s1ngularity alone, the stolen credentials it harvested were the seed capital for over $58 million in downstream crypto theft — making it the exploit that made everything else possible.
Shai-Hulud 1.0 (September 2025)
On September 15, 2025, Shai-Hulud 1.0 introduced something the npm ecosystem had never seen–a true self-propagating worm in the npm ecosystem. Wiz Research later assessed Shai-Hulud 1.0 as "directly downstream" of s1ngularity, with the initial compromised packages including known victims of the earlier attack. The malware ran on infected machines, harvested credentials, then used stolen npm tokens to enumerate every package a victim maintained and republish malicious versions of each. ReversingLabs called it a "first of its kind self-replicating worm." The attack ultimately compromised between 180 and 526 packages, including packages belonging to organizations like CrowdStrike and hundreds of other popular packages.
1.0 Impact
Security researchers linked approximately $50 million in cryptocurrency theft to credentials stolen during Shai-Hulud 1.0.
Shai-Hulud 2.0 (November 2025)
Launched on November 24, 2025, Shai-Hulud 2.0 was the longest-running and most devastating campaign of the series, compromising 492 packages across Zapier, ENS Domains, AsyncAPI, PostHog, and Postman, which collectively had 132 million monthly downloads, and generated over 30,000 compromised repositories across 6+ days. Initial access was confirmed via abuse of pull_request_target in high profile targets like PostHog, as well as a targeted phishing campaign that compromised the account of an npm package maintainer. The worm moved its payload to the pre-install hook (set of automatic instructions that run the moment a package is downloaded, before the developer has even finished installing it) through setup_bun.js and bun_environment.js, ensuring execution even in environments that blocked post-install scripts that were seen in Shai-Hulud 1.0, and spread beyond npm, spilling into the Java/Maven ecosystem via PostHog's automated mirroring, and infecting the AsyncAPI OpenVSX IDE extension.
Per Wiz Research, only 23% of infections hit developer machines—the majority struck Linux containers in CI/CD pipelines. The top two vectors, @postman/tunnel-agent and @asyncapi/specs, drove over 60% of infections. Up to 400,000 raw secrets were collected, however, since the malware did not use the --only-verified flag, only about 2.5% of those are verified. The confirmed credential leak count was hundreds of valid secrets across hundreds of companies, with over 60% of leaked npm tokens that were still active as of December 1st. The worm also carried a dead switch, meaning that if it failed to authenticate with GitHub or npm, it would wipe all files in the victim's home directory. It also installed backdoors into compromised machines which can be used for future campaigns, though no evidence has been shown that it has been used in the wild.
2.0 Impact
On Christmas Eve, December 24, 2025, attackers used GitHub secrets stolen in this wave to push a malicious update to Trust Wallet's Chrome extension. Over two days, 2,520 wallets were drained of $8.5 million in cryptocurrency. Trust Wallet (200M+ users) confirmed it would voluntarily reimburse all affected customers.
Shai-Hulud 3.0 (December 2025)
A third variation of the Shai-Hulud campaign was spotted during the holiday season on December 29th of 2025, but has not seen signs of activity–rather, it seems to have been in its testing stages. Researchers are keeping an eye on it, meaning that the actor is likely to pivot their behavior.
SANDWORM_MODE - AI Assistants Become Targets
On February 20, 2026, Socket's Threat Research Team neutralized and disclosed SANDWORM_MODE. The campaign that seemed to be a pre-release build carried the hallmarks of the 2 previous and successful Shai-Hulud campaigns: 19 packages published under two aliases (official334 and javaorg), credential theft, and worm propagation. What was new was the attack surfaces it attempted to exploit.
Several packages used typosquatting to impersonate popular developer utilities: suport-color for supports-color, rimarf for rimraf, three packages impersonated Claude Code, and one targeted OpenClaw as OpenCraw. The choice of AI tool names was deliberate, and it connects to a new emerging threat called slopsquatting.
As AI coding assistants become standard in developer workflows, they sometimes hallucinate plausible but nonexistent package names when generating code, which is where slopsquatting comes in. Developers copy the suggestion and install it without checking. Attackers register those names in advance. The more developers rely on AI to write and suggest code, the larger the attack surface grows. SANDWORM_MODE targeted AI tool names specifically because that surface is expanding fast and developers are least likely to scrutinize a package their AI assistant just recommended.
The deeper innovation was what happened after installation. The malicious payload installed a dedicated McpInject module that specifically targeted AI coding assistants.
Attack Mechanism:
Model Context Protocol (MCP): A system that lets AI coding assistants connect to and use external tools, like giving the AI a set of hands to interact with other software.
McpInject Attack Chain
- Concealment: It first created a randomized, legitimate sounding developer name (e.g.,
dev-utils,node-analyzer) and established a hidden directory in the user's home (e.g.,~/.dev-utils/). - Rogue Server Installation: A malicious MCP server was then written into this hidden directory.
- Masquerade: This server registered itself as a legitimate tool provider over the standard MCP JSON-RPC protocol, offering three seemingly benign tools:
index_project,lint_check, andscan_dependencies. - Prompt Injection: The critical step was that the description for each of these tools contained an embedded prompt injection instruction.
- Exfiltration: When an AI assistant read the tool listing, the hidden prompt instructed it to silently read sensitive assets–specifically, SSH keys, AWS credentials, npm tokens, crypto keys, and environment secrets. It then passed these credentials to the rogue MCP server as a context parameter.
- Staging: The server wrote the stolen data to a local staging directory for subsequent exfiltration.
- Invisibility: The prompt injection explicitly told the AI model not to mention this action, meaning the developer saw their AI assistant operating normally while credentials were being stolen in the background.
This rogue MCP server was then registered inside AI coding assistant configuration files, such as ~/.claude/settings.json and ~/.cursor/mcp.json. Because AI assistants rely on MCP servers to act as tools, a malicious server–invisible to the developer–was able to steal credentials by embedding instructions directly into its tool descriptions.
Data left through multiple channels at once: HTTPS to a Cloudflare Worker endpoint, private GitHub repositories via the GitHub API, and DNS tunneling (a method of hiding data inside routine internet traffic) as a fallback using an algorithmically-generated domain. If all three channels failed, an SSH fallback was available via git push.
Two capabilities were present in the analyzed code but disabled. One was the destructive dead switch from 2.0, which is a hidden self-destruct or trigger mechanism built into malware that can be activated remotely by an attacker. The other was a polymorphic rewrite engine, which is like a self-mutating system where a locally-running Ollama instance would rewrite the worm's own code to produce new variants with different hashes on every execution, defeating signature or "fingerprint" based detection. It was not active, as the build seemed to be in it's pre-release stage.
Why This Marks a New Beginning
Supply chain attacks have always relied on one core assumption: developers trust what they install. The Shai-Hulud lineage weaponized that trust through self-propagation. SANDWORM_MODE extends it one layer further. Not only are AI coding assistants becoming more widespread among developers, they have deep access to their machines. They read files, interact with local services, and run in the same environment where secrets live. An attacker who can poison that layer does not need to trick the developer–they only need to trick the AI.
The New Threat Model
Developers who treat AI assistant configuration files as low-risk, or those who don't even know they exist, will miss this entirely. ~/.claude/settings.json carries equivalent access implications to ~/.ssh/authorized_keys. The threat model for supply chain attacks now includes the AI reasoning layer sitting between the developer and their code.
Whether SANDWORM_MODE and the prior Shai-Hulud campaigns share the same operator(s) is still unresolved. The infrastructure patterns suggest at minimum that whoever built SANDWORM_MODE had deep familiarity with the prior campaigns. Dune-themed naming, the same dead switch logic, the same alias behavior. The campaign was caught early, with low download counts suggesting Socket's detection interrupted it before it could replicate the scale of Shai-Hulud 2.0. The next iteration will have learned from that too.
Ultimately, the aforementioned 2025-2026 campaigns serve as proof of concepts for a much larger threat. As long as the technology ecosystem prioritizes pure speed and automation without the verification of third-party packages and tools, supply chain worms will continue to evolve, adapt, and be at least one more step ahead of us.
Sources
Nx: s1ngularity Supply Chain Attack Postmortem August 2025
Wiz Research: s1ngularity: Supply Chain Attack Leaks Secrets on GitHub August 2025
Aikido Security: Shai-Hulud 1.0: Nx Attackers Strike Again September 2025
Socket: Ongoing Supply Chain Attack Targets CrowdStrike npm Packages September 2025
ReversingLabs: Shai-Hulud: First-of-Its-Kind Self-Replicating npm Worm September 2025
Software Improvement Group: Shai-Hulud npm Supply Chain Attack
Wiz Research: Shai-Hulud npm Supply Chain Attack October 2025
Wiz Research: Shai-Hulud 2.0: Ongoing Supply Chain Attack November 2025
Wiz Research: Shai-Hulud 2.0 Aftermath December 2025
PostHog: Post-mortem of Shai-Hulud attack on November 24th, 2025 - PostHog November 2025
BleepingComputer: Trust Wallet Links $8.5 Million Crypto Theft to Shai-Hulud npm Attack December 2025
BleepingComputer: Shai-Hulud 2.0 npm Malware Attack Exposed Up to 400,000 Dev Secrets December 2025
Snyk: The Holiday Whisper: Shai-Hulud 3.0 December 2025
Socket: SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains February 2026
Endor Labs: SANDWORM_MODE: Dissecting a Multi-Stage npm Supply Chain Attack February 2026
Kodem Security: SANDWORM_MODE: A New Shai-Hulud-Style npm Worm February 2026
The Register: AI Slop Squatting April 2025
Comments