Fetching from the wire…
Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.
SANDWORM_MODE uses 19 typosquatted packages to inject rogue MCP servers.
Source findingSANDWORM_MODE deploys rogue MCP servers into Windsurf tool configurations.
Source findingSANDWORM_MODE injects malicious MCP servers into Cursor configs.
Source findingSANDWORM_MODE npm worm deploys rogue MCP servers into Claude Code harvesting tokens and credentials.
Source findingSANDWORM_MODE deploys rogue MCP servers via 19 malicious npm packages.
SANDWORM_MODE targets VS Code with rogue MCP server injection.
Source findingSANDWORM_MODE targets Continue editor with malicious MCP injection.
Source findingSANDWORM_MODE npm worm targets Windsurf with rogue MCP injection and credential theft.
Source findingSANDWORM_MODE malicious npm packages target Cursor with MCP injection and credential exfiltration.
Source findingSANDWORM_MODE malicious npm worm injects rogue MCP servers into Claude Code targeting SSH keys and credentials.
Source finding