Threat Intelligence Report

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains

📅 February 21, 2026 📰 socket.dev 🔍 0 CVE(s) referenced

A sophisticated npm supply chain worm, SANDWORM_MODE, is actively hijacking CI workflows, stealing secrets, and poisoning AI developer toolchains via typosquatted packages and weaponized GitHub Actions, enabling automated propagation, credential exfiltration, and persistent compromise across both developer and CI environments.

vendor

🔐 Sign In to Read Full Report

You'll need to accept our Terms of Service to access the platform.

📊 Visual Mindmap

🎯 IOC Extraction

⚔️ MITRE ATT&CK TTPs

📦 STIX 2.1 Bundle