Overview
- Socket traced the campaign to at least 19 npm packages published under the aliases official334 and javaorg that impersonated popular utilities, including AI development tools.
- The malware operates in two stages, with an immediate grab of credentials and cryptocurrency keys and a second stage delayed 48–96 hours on developer machines but triggered instantly in CI environments.
- The operation injects a rogue MCP server and embedded prompts into AI coding assistants such as Claude Desktop, Cursor, VS Code Continue and Windsurf to collect SSH keys, tokens, environment secrets and LLM API keys.
- Exfiltration proceeds in a cascade using a Cloudflare Worker endpoint, authenticated uploads to attacker-controlled GitHub repositories and DNS tunneling with a domain-generation fallback.
- Vendors removed the packages and disabled supporting infrastructure, and researchers warn of additional components including a weaponized GitHub Action, Git hook persistence, a disabled polymorphic engine and an off-by-default wiper.