Breaking News: This NPM worm uses advanced techniques to bypass the latest detections and protections against malicious NPM packages.
A newly discovered NPM worm, first reported by socket.dev, is stealing tokens, environment variables, and API keys, and it tries to infect other NPM packages and developers along the way.
It also injects malicious MCP (Model Context Protocol) servers into tools like Claude Code, Cursor, and VS Code to maintain persistence on developers’ machines. It uses advanced techniques like a “time bomb” to stay dormant until unleashing its malicious behavior—running 48 hours after installation.
List of malicious NPM packages:
| Package Name | Version |
| claud-code | 0.2.1 |
| cloude-code | 0.2.1 |
| cloude | 0.3.0 |
| crypto-locale | 1.0.0 |
| crypto-reader-info | 1.0.0 |
| detect-cache | 1.0.0 |
| format-defaults | 1.0.0 |
| hardhta | 1.0.0 |
| locale-loader-pro | 1.0.0 |
| naniod | 1.0.0 |
| node-native-bridge | 1.0.0 |
| opencraw | 2026.2.17 |
| parse-compat | 1.0.0 |
| rimarf | 1.0.0 |
| scan-store | 1.0.0 |
| secp256 | 1.0.0 |
| suport-color | 1.0.1 |
| veim | 2.46.2 |
| yarsg | 18.0.1 |
Overview
A newly discovered malicious worm is spreading on NPM.
OX Research team conducted an independent analysis confirming that unlike previous NPM malware, this variant is highly aggressive: It steals API keys, secrets, and tokens, and deliberately hides its activity using “time-bomb” techniques that delay execution until 48 hours after infection.
Once active, the worm compromises developers’ local environments in multiple ways. It tampers with global Git configurations so that newly created projects are automatically compromised. If it cannot push malicious code to repositories using stolen API keys, it falls back to using the developer’s local SSH configuration to propagate further.
It also specifically targets AI coding agents and IDEs, attempting to add malicious MCP configurations that steal information—including LLM API keys and SSH keys—and exfiltrate it to a remote attacker-controlled server. In observed activity, stolen data is sent to the following C2 endpoint: https://pkg-metrics[.]official334[.]workers[.]dev.
The worm’s initial entry point relies on typosquatting, wherein a malicious package name is designed to look nearly identical to a legitimate one—so a small spelling mistake results in installing the attacker’s dependency instead of the intended package. After infecting a developer’s machine, it spreads by publishing new malicious versions of seemingly legitimate NPM packages, using stolen NPM tokens from compromised developers to update existing packages and propagate further across the ecosystem.
This threat becomes significantly more dangerous in AI-assisted and “vibe coding” workflows. Developers increasingly rely on LLMs (such as Claude or Codex-based tools) to suggest, add, and install dependencies automatically. In this context, a single incorrect package name—whether caused by typosquatting or poisoned model responses—can lead to the installation of a malicious package without manual review.
When developers grant AI agents permission to modify projects and install dependencies autonomously, a typo-squatted package can instantly compromise the local machine and, by extension, CI pipelines, repositories, and entire organizations. In other words, automation and trust in AI tooling dramatically reduce the friction an attacker needs to succeed.
Who is affected
Anyone who has installed dependencies from the malicious packages list is directly affected. Developers and organizations may also be exposed if the worm successfully propagates through additional packages that appear legitimate but have been compromised via stolen maintainer credentials.
Because the worm targets developer machines, the blast radius can quickly extend to CI systems, source code repositories, and downstream consumers of affected packages.
Impact
This NPM malware compromises developer accounts and the organizations they belong to. It enables attackers to steal secrets, API keys, SSH keys, and tokens, and to abuse trusted developer identities to spread further.
Any machine suspected of infection should be treated as fully compromised. All credentials present on the system must be considered exposed.
Recommended Actions
Immediate Actions:
- Remove all instances of the malicious packages from the machine and from package.json configuration files
- Rotate or revoke all keys on the machine
- Re-generate SSH private keys
- Re-configure your global git configuration
- Check your GitHub & NPM accounts for newly added repositories and packages, or any malicious changes inside them.
