A series of software supply chain attacks has rocked the npm ecosystem. Threat actors have leveraged both tampered and malicious versions of over 50 legitimate packages to deploy a Rust-based data-stealing tool and a self-propagating worm, respectively.
JFrog reports that the data thief “collects every accessible secret on a developer’s workstation, conceals itself using an eBPF kernel rootkit, and communicates with its operator via Tor.”
This stealer also uses stolen credentials to spread itself, drawing parallels to the notorious Shai-Hulud worm. The software supply chain security firm has named the new malware IronWorm. By uploading itself to the npm registry through compromised packages, the strategy creates a self-replicating attack chain.
The malicious campaign has been linked to a hijacked npm account called “asteroiddao,” which has been found publishing package versions containing a Rust ELF binary that gets executed through a preinstall hook.
The malware targets 86 environment variables and various files that may contain credentials related to OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files.
One curious detail worth noting is that the stealer includes logic to skip the threat actor’s own cryptocurrency wallet when harvesting wallet data. At the time of writing, the crypto wallet is empty, with no recorded transactions.
JFrog characterized IronWorm as “a supply chain attack tool designed to discover secrets, alter projects, and inject malicious code to spread itself across GitHub.” The malicious code commits, spanning nine GitHub organizations, were made under the author name “claude” (“claude@users.noreply.github.com”) in an effort to impersonate Anthropic’s AI chatbot.
“The malicious npm package was uploaded by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization as well as related Arweave organizations,” the company explained.
“The malware exfiltrated ocrybit’s credentials and leveraged them to push code commits across accessible repositories. Those commits embedded malware into additional packages, which could then be published and compromise the next developer. Afterward, it disappeared.”
Furthermore, the malicious payload is designed to replace existing GitHub Actions workflows with one that can extract secrets, save them to an inconspicuous file, and upload it as a build artifact, removing the reliance on an external command-and-control (C2) server.
The malware’s capabilities extend further. In CI environments, it exploits npm’s Trusted Publishing mechanism to generate short-lived tokens for uploading poisoned versions containing the malware to the registry.
It also deploys an eBPF-based payload that serves as a kernel-level rootkit to conceal processes and block analysis. However, on systems with kernel lockdown enabled, the process-hiding techniques fail, and the hidden processes and network sockets become detectable once again.
Miasma Worm Reappears
This revelation follows disclosures by Endor Labs and StepSecurity, which have exposed a separate supply chain attack campaign compromising 57 npm packages across over 286 malicious versions to deliver a new variant of the Miasma worm. Earlier in the week, Miasma had previously infected 32 packages across more than 90 versions in the @redhat-cloud-services npm namespace within just 72 seconds.
Some of the impacted packages are listed below –
- ai-sdk-ollama
- autotel
- awaitly
- effect-analyzer
- eslint-plugin-awaitly
- executable-stories-cypress
- http-uploader-dev
- mountly
- node-env-resolver
- node-env-resolver-aws
The data exfiltrated by the malware was sent to a now-defunct GitHub account “liuende501,” which served as the data collection point. A total of 236 repositories were hosted under this account. It remains unclear whether GitHub took down the account or whether the threat actor deleted it themselves.
“This wave employs a technique we’ve nicknamed ‘Phantom Gyp’: rather than using the preinstall or postinstall lifecycle scripts that security tools commonly monitor, the attacker exploits a 157-byte binding.gyp file to trigger code execution during npm install, sidestepping most install-script security checks entirely,” said StepSecurity researcher Sai Likhith.
Similar to the Miasma attacks, the attack workflow is designed to download and install the Bun JavaScript runtime, then use it to load a comprehensive credential harvesting tool configured to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants.
“The most distinctive and alarming capability of this variant is its focus on AI coding assistant configurations,” the company noted. “The malware plants persistent backdoor files within project repositories that execute whenever a developer opens their project in an AI-enhanced IDE.”
Developers who have installed a compromised version should rotate all credentials, disable install scripts and native rebuilds by default, and verify that packages are pinned with integrity hashes.
In an update released this week, Red Hat confirmed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account used to push unauthorized commits to repositories within the RedHatInsights GitHub organization.
“The payload functioned across Linux, macOS, and Windows by dynamically downloading the appropriate Bun runtime for each platform, although Linux CI/CD runners were the primary focus,” Microsoft stated regarding the campaign.
“On developer machines, the malware harvested Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser data, and wallet data, while in CI/CD environments it extracted secrets from GitHub Actions runner memory, escalated privileges through passwordless sudo, and republished tainted packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to sustain downstream propagation.”
The Miasma payload is believed to be a derivative of the Shai-Hulud worm used by TeamPCP in recent campaigns, featuring mostly surface-level changes while maintaining similar core functionality. Despite the similarities in methods, attribution for the latest wave of attacks remains uncertain, given that TeamPCP has publicly released the Shai-Hulud source code.
OX Security has since uncovered additional stages in the Miasma attack chain, including searches for GitHub commits containing the string “firedalazer” (replacing the previously identified “FIRESCALE” dead drop) to fetch another payload, a JavaScript file (“index.js”) containing an alternative version of the Shai-Hulud worm, effectively turning the infection into an endless loop.
In this scenario, the stolen data is uploaded to public GitHub repositories, each bearing the description “Miasma: The Spreading Blight” or “Miasma – The Spreading Blight.” It’s worth noting that the earlier version reads “Miasma: The Spreading Blight” without a space between “Miasma” and the “:” symbol. There are currently 82 repositories created under user accounts “0tabek16” and “windy629.”
“The threat actor can dynamically modify the ‘firedalazer’ commits in GitHub, creating new versions of the malware that are more adaptive and more sophisticated,” said security researchers Moshe Siman Tov Bustan and Nir Zadok.
“This transforms GitHub into something far more dangerous than a static dead drop. It becomes a dynamic command-and-control infrastructure—one that rides on a trusted, broadly whitelisted platform, making network-level detection practically ineffective. Most security tools aren’t configured to flag GitHub traffic as suspicious. The threat actor is well aware of this.”
