Multiple software supply chain attacks have recently struck the **npm** ecosystem, with threat actors deploying both malicious and poisoned versions of over 50 legitimate packages. These campaigns aim to distribute a **Rust**-based information stealer and a self-spreading worm, posing significant risks to IT security professionals and privacy-conscious users.  ## The Rise of IronWorm Security firm **JFrog** has detailed the **Rust**-based information stealer, codenamed **IronWorm**. This sophisticated malware is designed to scrape every secret it can find on a developer's machine, employing an **eBPF** kernel rootkit for stealth and communicating with its operators over **Tor**. **IronWorm** leverages stolen credentials as a propagation mechanism, drawing parallels to the infamous **Shai-Hulud** worm. By publishing itself to the **npm** registry through trojanized packages, it achieves a self-replicating attack vector. Malicious activity has been traced back to a compromised **npm** account, "asteroiddao," which published package versions containing the **Rust** ELF binary executed via a `preinstall` hook. The malware targets 86 environment variables and various files that may contain credentials for services such as **OpenAI Codex**, **Anthropic**, **Claude**, **Google Gemini**, **Cursor**, **Amazon Web Services (AWS)**, **Docker**, **Kubernetes**, **npm**, vault configurations, and **Exodus** cryptocurrency wallet files. An unusual detail is the stealer's logic to skip the threat actor's own cryptocurrency wallet, which currently shows no recorded transactions. **JFrog** describes **IronWorm** as "a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across **GitHub**." Malicious commits, spanning nine **GitHub** organizations, were introduced under the author name "claude" ([email protected]) in an apparent attempt to mimic **Anthropic**'s AI chatbot. Further analysis revealed that the compromised `asteroiddao` **npm** account corresponds to the `asteroid-dao` **GitHub** organization, with `ocrybit` as a member. The malware stole `ocrybit`'s credentials, using them to push commits across accessible repositories, planting malware into other packages for downstream infection. This payload is also equipped to swap existing **GitHub Actions** workflows for one capable of harvesting secrets, writing them to a harmless-looking file, and uploading them as a build artifact, eliminating the need for an external command-and-control (C2) server. In **CI environments**, it abuses **npm**'s **Trusted Publishing flow** to obtain short-lived tokens and push poisoned versions to the registry. The malware also incorporates an **eBPF** payload acting as a kernel-level rootkit to hide processes, though this fails on systems with kernel lockdown enabled. ## Miasma Worm Surfaces Again Concurrently, **Endor Labs** and **StepSecurity** have disclosed a distinct supply chain attack campaign. This campaign compromised 57 **npm** packages across more than 286 malicious versions to distribute a new variant of the **Miasma** worm. This worm previously infected 32 packages across over 90 versions under the `@redhat-cloud-services` **npm** namespace within 72 seconds. Some of the affected packages include: * `ai-sdk-ollama` * `autotel` * `awaitly` * `effect-analyzer` * `eslint-plugin-awaitly` * `executable-stories-cypress` * `http-uploader-dev` * `mountly` * `node-env-resolver` * `node-env-resolver-aws`  Stolen data from this campaign was exfiltrated to a now-inaccessible **GitHub** account, `liuende501`, which staged 236 repositories. The account's removal source (GitHub or the threat actor) remains unknown. **StepSecurity** researcher Sai Likhith highlighted a novel technique dubbed "**Phantom Gyp**." Instead of relying on commonly monitored `preinstall` or `postinstall` lifecycle scripts, the attacker abuses a 157-byte `binding.gyp` file to trigger code execution during `npm install`, bypassing many security checks. Similar to previous **Miasma** incidents, this attack chain downloads and installs the **Bun JavaScript runtime**, using it to load a comprehensive credential harvester. This harvester is tailored to extract secrets from **AWS**, **Google Cloud**, **Microsoft Azure**, **HashiCorp Vault**, **Docker**, **Kubernetes**, **GitHub Actions**, **npm**, **RubyGems**, **PyPI**, **SSH**, password managers, and AI assistants. "The most novel and concerning capability of this variant is its targeting of AI coding assistant configurations," **StepSecurity** noted. The malware injects persistent backdoor files into project repositories that execute whenever a developer opens the project in an AI-assisted IDE. Developers who have installed an affected version are strongly advised to rotate credentials, disable install scripts and native rebuilds by default, and ensure packages are pinned with integrity hashes. **Red Hat** revealed that the root cause of the previous **Miasma** supply chain incident was likely a compromised **GitHub** account used to push unauthorized commits to repositories within the **RedHatInsights** **GitHub** organization. **Microsoft**'s analysis of the campaign noted, "The payload operated across Linux, macOS, and Windows by dynamically downloading the correct **Bun** runtime for each platform, although Linux CI/CD runners appeared to be the primary target." In developer systems, the malware stole **SSH** keys, command-line interface (CLI) credentials, browser, and wallet data. In CI/CD environments, it scraped **GitHub Actions** runner memory for secrets, escalated privileges using passwordless `sudo`, and republished poisoned packages with forged **Supply-chain Levels for Software Artifacts (SLSA) provenance** to continue downstream propagation. ## Evolving Attack Chain and Persistence The **Miasma** payload is believed to be a derivative of the **Shai-Hulud** worm, previously used by **TeamPCP** in other campaigns, with largely cosmetic changes. Attribution for the latest attacks remains unclear, especially since **TeamPCP** publicly released the **Shai-Hulud** code.  **OX Security** has uncovered additional stages in the **Miasma** attack chain, including searches for **GitHub** commits containing the string "firedalazer" (replacing the previously flagged "**FIRESCALE**" dead drop) to retrieve another payload—a JavaScript file (`index.js`) containing an alternative version of the **Shai-Hulud** worm, effectively creating a perpetual infection loop. In this scenario, stolen data is exfiltrated to public **GitHub** repositories. These ongoing campaigns underscore the critical need for robust supply chain security measures, continuous monitoring, and developer vigilance to protect against increasingly sophisticated malware.