IronWorm and Miasma Worm Variants Execute Dual npm Supply Chain Attacks

The npm ecosystem has been hit by two concurrent supply chain attacks affecting over 100 packages combined. IronWorm, a Rust-based information stealer identified by JFrog, and a new variant of the Miasma worm analyzed by Endor Labs and StepSecurity represent sophisticated threats that self-propagate through stolen credentials and poisoned package versions. Both campaigns target developer credentials, cloud infrastructure secrets, and CI/CD pipelines with advanced evasion techniques including kernel-level rootkits and novel execution vectors.

IronWorm: Rust-Based Stealer with eBPF Rootkit

IronWorm originated from a compromised npm account named 'asteroiddao' that published trojanized package versions containing a Rust ELF binary executed via preinstall hooks. The malware scrapes 86 environment variables and targets credential files for OpenAI Codex, Anthropic Claude, Google Gemini, Cursor, AWS, Docker, Kubernetes, npm, vault configurations, and Exodus cryptocurrency wallet files. JFrog researchers noted an unusual detail: the stealer includes logic to skip the threat actor's own wallet, which remains empty with no recorded transactions.

The malware's propagation mechanism mirrors the infamous Shai-Hulud worm by using stolen credentials to push malicious commits across GitHub repositories. These commits appear under the author name 'claude' with the email 'claude@users.noreply.github.com', deliberately mimicking Anthropic's AI chatbot to avoid suspicion. The attack chain compromised nine GitHub organizations, with the malware accessing repositories through stolen credentials from ocrybit, a member of the asteroid-dao organization and related Arweave organizations.

The malware deploys an eBPF payload functioning as a kernel-level rootkit to hide processes and prevent analysis. However, this evasion technique has a critical weakness: on systems with kernel lockdown enabled, the process-hiding mechanism fails and the malicious processes become visible. This represents a significant detection opportunity for organizations with hardened security configurations.

Miasma Worm Returns with 'Phantom Gyp' Technique

The new Miasma variant compromised 57 npm packages across 286 malicious versions, following an earlier wave that infected 32 packages under the @redhat-cloud-services namespace within 72 seconds. Affected packages include ai-sdk-ollama, autotel, awaitly, effect-analyzer, eslint-plugin-awaitly, executable-stories-cypress, http-uploader-dev, mountly, node-env-resolver, and node-env-resolver-aws. Red Hat confirmed the attack stemmed from a compromised GitHub account used to push unauthorized commits to repositories in the RedHatInsights GitHub organization.

StepSecurity researcher Sai Likhith identified a novel execution technique called 'Phantom Gyp' that bypasses typical security monitoring. Instead of using preinstall or postinstall lifecycle scripts that security tools routinely watch, the attacker exploits a 157-byte binding.gyp file to trigger code execution during npm install. This technique evades most install-script security checks, representing a significant evolution in package-based attack vectors.

The attack chain downloads and installs the Bun JavaScript runtime to execute a comprehensive credential harvester targeting AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants. Stolen data was exfiltrated to a GitHub account 'liuende501' that staged 236 repositories before either being removed by GitHub or deleted by the threat actor. The account is now inaccessible.

AI Coding Assistant Targeting

Microsoft's analysis confirmed the payload operates across Linux, macOS, and Windows by dynamically downloading the appropriate Bun runtime for each platform, though Linux CI/CD runners appear to be the primary target. On developer systems, the malware steals SSH keys, CLI credentials, browser data, and wallet information. In CI/CD environments, it scrapes GitHub Actions runner memory for secrets, escalates privileges using passwordless sudo, and republishes poisoned packages with forged SLSA provenance to enable downstream propagation.

Immediate Mitigation Actions

• Rotate all credentials immediately if any affected packages were installed, including SSH keys, cloud provider tokens, npm tokens, and API keys for AI services
• Disable install scripts and native rebuilds by default using npm config set ignore-scripts true
• Pin all packages with integrity hashes (package-lock.json) and verify checksums before installation
• Enable kernel lockdown on Linux systems to prevent eBPF rootkit deployment and expose hidden processes
• Audit GitHub Actions workflows for unauthorized modifications and review commit history for suspicious authors like 'claude@users.noreply.github.com'
• Scan AI coding assistant configuration directories for injected backdoor files
• Review build artifacts in CI/CD pipelines for suspicious files containing credential dumps
• Implement runtime monitoring to detect unexpected Bun runtime installations and binding.gyp executions

Detection and Response Priorities

Organizations should immediately audit dependencies for any packages associated with the asteroiddao npm account and the compromised RedHatInsights GitHub organization. Security teams must expand monitoring beyond traditional preinstall and postinstall hooks to include binding.gyp file analysis. The targeting of AI coding assistants represents a paradigm shift in supply chain attacks, requiring new detection strategies focused on IDE configuration files and AI service credential stores. Given the self-propagating nature of both campaigns and their ability to forge SLSA provenance, teams cannot rely solely on package metadata for trust decisions.

The simultaneous deployment of IronWorm and the new Miasma variant demonstrates increasing sophistication in npm supply chain attacks. The combination of kernel-level rootkits, novel execution vectors, CI/CD exploitation, and AI assistant targeting indicates threat actors are adapting to modern development workflows. Organizations must implement defense-in-depth strategies that assume compromise and focus on limiting blast radius through credential rotation, least-privilege access, and runtime behavioral monitoring rather than relying exclusively on static package scanning.