In a shocking revelation that surprised absolutely no one, cybersecurity researchers have uncovered 19 malicious npm packages doing their best impression of a digital Sarlacc pit. Aptly codenamed SANDWORM_MODE, these packages were reportedly busy harvesting crypto keys, CI secrets, and API tokens, because why settle for just identity theft when you can have the entire buffet?

These nefarious bits of code emerged from the depths of the internet, where disgruntled developers and sleep-deprived DevOps engineers routinely navigate npm’s treacherous supply chain, hoping to avoid the latest wormhole. It’s a place where the line between package manager and villainous mastermind is thinner than an out-of-date SSL certificate.

While npm enthusiasts were still debating which package causes more existential dread, a cyber supply chain security company named Socket bravely stepped up to the plate, probably after realizing there’s only so much caffeine can do to keep their developers from screaming into the abyss. They uncovered this campaign’s terrifying potential, like some twisted treasure map leading to a mountain of stolen credentials and lost hopes.