According to Socket, the campaign operates as a typosquatting worm: the attacker publishes malicious packages that mimic trusted names (e.g., look-alikes of common utilities and AI coding tools). When one of these malicious packages is installed and imported, it executes a staged payload that harvests credentials from developer and CI environments (npm/GitHub tokens, environment secrets) and attempts to spread by using stolen tokens to modify additional repositories—injecting dependencies and adding/altering GitHub Actions workflows. Socket also describes a related malicious GitHub Action (ci-quality/code-quality-check@v1) used as a CI amplification mechanism; it is referenced by the worm to help collect CI secrets and propagate further.
A notable capability in this variant is developer AI toolchain tampering: Socket describes an MCP server injection module that writes a rogue local MCP server and inserts it into configuration files for multiple AI coding assistants (e.g., Claude-related configs, Cursor, Continue, Windsurf/Codeium). The injected “tool” descriptions embed prompt-injection text intended to coerce assistants into collecting sensitive local files/secrets and passing them back to the rogue server for later collection. Socket notes the sample includes feature flags and a destructive “dead switch” capability, but in the observed build the destructive routine is disabled by default, suggesting iterative development rather than an always-on wiper behavior.