Originally reported by The Hacker News, SANS ISC
TL;DR
Active npm supply chain worm harvests crypto keys and CI secrets while Iranian APT MuddyWater deploys new malware targeting MENA organizations in coordinated campaign.
Active supply chain worm campaign harvesting cryptocurrency keys and CI secrets represents significant threat to development environments. Combined with state-sponsored APT activity deploying new malware families creates elevated risk profile.
Socket's security researchers have identified an ongoing supply chain attack campaign dubbed SANDWORM_MODE, leveraging at least 19 malicious npm packages in what they characterize as a "Shai-Hulud-like" worm operation. The campaign specifically targets cryptocurrency wallet keys, CI/CD pipeline secrets, and API tokens.
The attack follows established patterns from previous Shai-Hulud campaigns, embedding malicious code within legitimate-appearing npm packages to achieve widespread distribution across development environments. The targeting of cryptocurrency keys alongside CI/CD credentials suggests attackers are pursuing both immediate financial gain and persistent infrastructure access.
Socket's discovery highlights the continuing vulnerability of the npm ecosystem to sophisticated supply chain attacks, particularly those designed to propagate through dependency chains.
The Iranian threat actor MuddyWater (also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has initiated a new campaign designated Operation Olalampo, targeting organizations and individuals primarily across the Middle East and North Africa region.
First observed on January 26, 2026, the operation has introduced several new malware families including GhostFetch, CHAR, and HTTP_VIP. These tools represent an evolution in MuddyWater's tactical approach, suggesting continued development of their offensive capabilities.
The campaign's focus on MENA targets aligns with Iran's established geopolitical interests in the region, while the deployment of novel malware families indicates sustained investment in advanced persistent threat capabilities.
The SANS Internet Storm Center has released their Monday, February 23rd Stormcast podcast, providing additional threat intelligence analysis and security community updates.
Originally reported by The Hacker News, SANS ISC