Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

A supply chain worm campaign named SANDWORM_MODE has utilized at least 19 malicious npm packages to steal crypto keys, CI secrets, and API tokens, and has the capability to propagate using stolen identities. The malware also targets AI coding assistants by injecting malicious configurations and harvests API keys from multiple LLM providers, with a destructive routine acting as a kill switch if access is lost.