Multiple attacks have hit the npm ecosystem, with malicious actors using both malicious and poisoned versions of more than 50 legitimate packages to spread information based on Rust and the self-propagating worm, respectively.
According to JFrog, the hacker “spoils every secret he can find on the developer’s machine, hides behind the eBPF kernel rootkit, and replies to his operator through Tor.”
The hacker also uses the stolen data as a means of propagation, drawing similarities to the infamous Shai-Hulud worm. The malware is codenamed The IronWorm is a software supply chain security company. By publishing itself in the npm registry in the form of trojanized packages, this approach leads to self-replicating attacks.
The malicious activity is traced back to a compromised npm account named “asteroiddao,” which was found to be publishing versions of a package containing a Rust ELF binary used with a preinstallation hook.
The malware targets 86 environment variables, various files may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configuration, and Exodus cryptocurrency wallet files.
A rare issue to mention here is that the thief incorporates the concept of stealing wallet data to bypass the threat actor’s wallet. As of writing, the crypto wallet is empty, and no transactions have been recorded.
JFrog described IronWorm as “a supply chain weapon designed to discover secrets, modify projects, and inject malicious code to spread itself across GitHub.” The exploits, involving nine GitHub organizations, were launched under the author name “claude” (“claude@users.noreply.github.com”) in an attempt to mimic Anthropic’s Artificial Intelligence (AI) chatbot.
“The malicious npm package was published by asteroiddao; asteroiddao is affiliated with the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations,” the company explained.
“The malware stole ocrybit’s credentials and used them to run operations across the endpoint it had access to. Those apps planted the malware in other packages, which could then be published and infect the next developer. Then it disappeared.”
In addition, a malicious uploader is equipped to replace the existing GitHub Actions workflow with one that can harvest secrets, write them to a seemingly innocuous file, and upload them as a build artifact, thereby removing the need for an external command and control server (C2).
The power of malware doesn’t stop there. In CI environments, it abuses npm’s Trusted Publishing flow to obtain temporary tokens to push toxic versions containing malware to the registry.
It also includes an eBPF payload that acts as a kernel-level rootkit to hide processes and prevent analysis. However, on systems where kernel locking is enabled, process hiding tricks fail, and virtual processes and cores become visible as well.
The Miasma Worm Has Appeared Again
The disclosure comes as Endor Labs and StepSecurity shed light on a separate supply chain attack campaign that compromised 57 npm packages in more than 286 malicious versions to exploit a new strain of the Miasma worm, which infected 32 packages in more than 90 versions under the name @redhat-cloud-services earlier this week at 72pm.
Some affected packages are listed below –
- ai-sdk-ollama
- autotel
- by waiting
- result-analyzer
- eslint-plugin-awaitly
- realizable-news-cypress
- http-uploader-dev
- mountain
- node-env-resolver
- node-env-resolver-aws
The data stolen by the malware is leaked to the now-inaccessible GitHub account “liuende501,” which served as a breakout point. About 236 repositories are included in the account. It is not yet known if GitHub deleted the account or if the threat actor deleted it himself.
“This wave uses a trick we call ‘Phantom Gyp’: instead of the pre-installation or pre-installation or post-installation lifecycle scripts that security tools typically monitor, the attacker misuses the 157-byte binding.gyp file to execute code during npm installation, completely bypassing most security checks,” said StepSecurity researcher Sai Likhith.
As in the case of Miasma, the attack chain was designed to download and install the Bun JavaScript runtime, used to load a complete authentication harvester designed to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyPIants.
“The most novel and concerning feature of this variant is its focus on the configuration of the AI coding assistant,” the company said. “The malware injects persistent background files into project repositories that run whenever a developer opens a project in their AI-assisted IDE.”
Developers who have installed the affected version are advised to rotate credentials, disable installation scripts and native builds by default, and ensure that packages are pinned with integrity hashes.
In an update shared this week, Red Hat revealed that the source of the Miasma supply chain incident may have been a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization.
“The payload works across Linux, macOS, and Windows by dynamically downloading the Bun runtime from each environment, although Linux CI/CD runners appear to be the primary target,” Microsoft said of the campaign.
“On developer systems, the malware stole Secure Shell (SSH) keys, command line credentials (CLI), browser and wallet data, while on the CI/CD site it leaked the memory of the GitHub Actions runner to get secrets, escalated privileges using passwordless sudo, and reprinted poison packages with Provens Forged Supply Software (SLIF) distribution.”
The Miasma payload is tested as a derivative of the Shai-Hulud worm used by TeamPCP in recent campaigns, introducing major “cosmetic” changes while keeping the basic functionality the same. Despite the commercial buildup, the explanation for the latest set of attacks remains unclear, as TeamPCP has publicly released the Shai-Hulud code.
OX Security has since uncovered additional stages in the Miasma attack chain, including searching GitHub commits containing the string “firedalazer” (replacing a dead drop flagged as “FIRESCALE”) to find another payload, a JavaScript file (“index.js”) containing another version of the Shai-Hulud worm, which successfully modifies each loop.
In this case, the stolen data is released to public GitHub repositories, each with the description “Miasma: The Spreading Blight” or “Miasma – The Spreading Blight.” It’s important to note here that the previous version read “Miasma: The Spreading Blight,” with no space between Miasma and the “:” sign. There are currently 82 such clans created on the user accounts “0tabek16” and “windy629.”
“A threat actor can dynamically modify ‘firedalazer’ builds on GitHub, creating new, more flexible and sophisticated versions of the malware,” said security researchers Moshe Siman Tov Bustan and Nir Zadok.
“This turns GitHub into something much more dangerous than a dead drop. A flexible C2 – one that links back to a trusted, widely authorized source, making network-level detection almost useless. Most security tools are not configured to treat GitHub traffic as suspicious. A threat actor knows this.”
