What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

Malicious npm Packages Are Stealing Your API Keys Right Now

A live supply chain campaign called SANDWORM_MODE is spreading across the npm ecosystem right now. Security researchers at Socket have identified at least 19 malicious packages designed to steal API keys, CI/CD secrets, cryptocurrency private keys, and credentials from developer machines - and then use those stolen credentials to spread further.

If you or your team have installed any of these packages, treat it as an active compromise and act immediately.

What Is Being Targeted

The malware operates in two stages. The first stage runs on installation and begins harvesting credentials straight away. After a 48-hour delay (designed to evade sandbox detection), the second stage activates and goes deeper - targeting password managers, SSH keys, AWS credentials, .env files, and .npmrc tokens.

What makes this campaign particularly relevant to developers building APIs and working with AI tooling is the MCP injection module. The malware deploys a malicious Model Context Protocol server that targets AI coding assistants including Claude Code, Cursor, VS Code Continue, and Windsurf. Once injected, it harvests API keys for nine LLM providers including Anthropic, OpenAI, Google, and Mistral.

The campaign also includes a weaponised GitHub Action that exfiltrates CI/CD secrets via HTTPS with DNS fallback - meaning your pipeline credentials are at risk if the package reaches your build environment.

The Packages to Check For

The following npm packages have been confirmed as malicious. Remove them immediately if present:

claud-code
cloude-code
cloude
crypto-locale
crypto-reader-info
detect-cache
format-defaults
locale-loader-pro
node-native-bridge
opencraw
parse-compat
rimarf
scan-store
secp256
suport-color
veim
yarsg

Four additional sleeper packages (ethres, iru-caches, iruchache, uudi) have also been identified. These contain no malicious code yet but are believed to be pre-positioned for future activation.

What to Do If You Have Installed Any of These

Remove the packages immediately using npm uninstall or pnpm remove. Then:

Rotate all npm and GitHub tokens
Rotate any CI/CD secrets (GitHub Actions, any pipeline secrets)
Audit your package.json, lockfiles, and .github/workflows/ for unexpected changes
Check your .env files and rotate any API keys stored there
Review your AI coding assistant tool configurations for any unexpected MCP server entries

Why This Keeps Happening

Supply chain attacks via npm are not new - we covered the broader pattern in our post on keeping your npm dependencies secure. What is new here is the deliberate targeting of AI coding toolchains. As more developers use tools like Claude Code and Cursor in their daily workflows, those tools become high-value targets. An attacker who can inject a malicious MCP server can silently exfiltrate credentials every time your AI assistant runs.

The lesson is consistent: treat every dependency as a potential risk. Audit what you install, use lockfiles, pin versions, and have a process for rotating credentials when something looks wrong. The 48-hour delay in this campaign is specifically designed to get past your immediate post-install checks - which means your standard "I'd notice if something bad happened" instinct is not sufficient protection here.

If you need help auditing your project dependencies or reviewing your CI/CD pipeline security, get in touch with us.

Malicious npm Packages Are Stealing Your API Keys Right Now

What Is Being Targeted

The Packages to Check For

What to Do If You Have Installed Any of These

Why This Keeps Happening

Ready to Start Your Project?