Multiple supply chain attacks have compromised dozens of npm packages to spread IronWorm and a new Miasma worm variant, both designed to steal secrets and self-propagate through developer and CI/CD environments. The campaigns abuse npm lifecycle hooks, GitHub commits, and trusted publishing to infect repositories, exfiltrate credentials, and keep republishing poisoned packages across the ecosystem. #IronWorm #Miasma #ShaiHulud #asteroiddao #RedHatInsights #TeamPCP
Keypoints
- IronWorm is a Rust-based stealer that hides with an eBPF rootkit and communicates over Tor.
- Compromised npm account asteroiddao was used to publish trojanized packages that spread the malware.
- The payload targets secrets from AI tools, cloud services, Docker, Kubernetes, npm, and wallet files.
- Miasma infected 57 npm packages using a 157-byte binding.gyp file to bypass normal install-script checks.
- The attack chain abuses GitHub Actions, Bun runtime, and public GitHub repos to exfiltrate data and republish poisoned packages.
Read More: https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html