Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively.
According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor."
The stealer also uses the stolen credentials as a propagation mechanism, drawing similarities to the infamous Shai-Hulud worm. The new malware has been codenamed IronWorm by the software supply chain security company. By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack.
The malicious activity has been traced back to a compromised npm account named "asteroiddao," which has been found to publish package versions containing the Rust ELF binary that's executed via a preinstall hook.
The malware targets 86 environment variables, various files that may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files.
An unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to skip the threat actor's own wallet. As of writing, the cryptocurrency wallet is empty, and no transactions have been recorded.
JFrog described IronWorm as "a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub." The malicious commits, which span nine GitHub organizations, have been introduced under the author name "claude" ("claude@users.noreply.github.com") in an attempt to mimic Anthropic's artificial intelligence (AI) chatbot.
"The malicious npm package was published by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations," the company explained.
"The malware stole ocrybit's credentials and used them to push commits across repositories it could access. Those commits planted malware into other packages, which could then be published and infect the next developer. And then it vanished."
What's more, the malicious payload is equipped to swap existing GitHub Actions workflows for one that's capable of harvesting the secrets, writing it to a harmless-looking file, and uploading it as a build artifact, thereby eliminating the need for an external command-and-control (C2) server.
The malware's capabilities don't end there. In CI environments, it abuses npm's Trusted Publishing flow to obtain short-lived tokens to push poisoned versions containing the malware to the registry.
It also incorporates an eBPF payload that functions as a kernel-level rootkit to hide processes and thwart analysis. However, on systems where kernel lockdown is enabled, the process-hiding tricks fail, and the supposed processes and sockets become visible again.
Miasma Worm Surfaces Again
The disclosure comes as Endor Labs and StepSecurity shed light on a distinct supply chain attack campaign that has compromised 57 npm packages across more than 286 malicious versions to serve a new variant of the Miasma worm, which previously infected 32 packages across more than 90 versions under the @redhat-cloud-services npm namespace within 72 seconds earlier this week.
Some of the affected packages are listed below -
- ai-sdk-ollama
- autotel
- awaitly
- effect-analyzer
- eslint-plugin-awaitly
- executable-stories-cypress
- http-uploader-dev
- mountly
- node-env-resolver
- node-env-resolver-aws
The data stolen via the malware is exfiltrated to a now-inaccessible GitHub account "liuende501," which acted as an exfiltration point. As many as 236 repositories were staged in the account. It's presently not known if GitHub removed the account or if the threat actor themselves deleted it.
"This wave uses a technique we are calling 'Phantom Gyp': instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing most install-script security checks entirely," StepSecurity researcher Sai Likhith said.
Like in the case of Miasma, the attack chain is engineered to download and install the Bun JavaScript runtime, using it to load a comprehensive credential harvester that's tailored to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants.
"The most novel and concerning capability of this variant is its targeting of AI coding assistant configurations," the company said. "The malware injects persistent backdoor files into project repositories that execute whenever a developer opens the project in their AI-assisted IDE."
Developers who have installed an affected version are advised to rotate credentials, turn off install scripts and native rebuilds by default, and ensure packages are pinned with integrity hashes.
In an update shared this week, Red Hat revealed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization.
"The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target," Microsoft said of the campaign.
"On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation."
The Miasma payload is assessed to be a derivative of the Shai-Hulud worm put to use by TeamPCP in recent campaigns, introducing largely "cosmetic" changes while keeping the underlying functionality similar. Despite the overlap in tradecraft, the attribution for the latest set of attacks remains unclear, given that TeamPCP has publicly released the Shai-Hulud code.
OX Security has since uncovered additional stages in the Miasma attack chain, including searches for GitHub commits containing the string "firedalazer" (replacing the previously flagged "FIRESCALE" dead drop) to retrieve another payload, a JavaScript file ("index.js") that contains an alternative version of the Shai-Hulud worm, effectively transforming the infection into a perpetual loop.
In this case, the stolen data is exfiltrated to public GitHub repositories, each carrying the description "Miasma: The Spreading Blight" or "Miasma - The Spreading Blight." It's important to note here that the previous version reads "Miasma: The Spreading Blight," which does not have a space between Miasma and the ":" symbol. There are currently 82 such repositories created on user accounts "0tabek16" and "windy629."
"The threat actor can dynamically change the 'firedalazer' commits in GitHub, making new versions of the malware, more adaptive and more sophisticated," security researchers Moshe Siman Tov Bustan and Nir Zadok said.
"This turns GitHub into something more dangerous than a dead drop. It's an adaptive C2 - one that piggybacks on a trusted, widely whitelisted platform, making network-level detection nearly useless. Most security tools aren't configured to treat GitHub traffic as suspicious. The threat actor knows this."
