Poisoning the AI developer interface: The campaign was specifically flagged for its direct targeting of AI coding assistants. The malware deploys a malicious Model Context Protocol (MCP) server and injects it into configurations of popular AI tools, embedding itself as a trusted component in the assistant’s environment.Once this is achieved, prompt-injection techniques can trick the AI into retrieving sensitive local data, which can include SSH keys or cloud credentials, and pass it to the attacker without the user’s knowledge.The researchers also found a dormant polymorphic engine capable of rewriting the malware through code-level transformations such as variable renaming, control-flow rewriting, decoy code insertion, and string encoding, though no active mutation was observed during analysis. The engine is compatible with locally hosted models through Ollama, but presently only checks if Ollama is running locally, they wrote.The disclosure noted npm has already hardened the registry against Shai-Hulud-class worms, tightening controls around the credential abuse this campaign exploits. Short-lived, scoped tokens, mandatory two-factor authentication for publishing, and identity-bound “trusted publishing” from CI are designed to contain the blast radius from stolen secrets, though their effectiveness ultimately depends on the scale and speed of maintainer adoption.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4136476/shai-hulud-style-npm-worm-hits-ci-pipelines-and-ai-coding-tools.html
