IronWorm, Miasma variants infect dozens of npm packages

Security researchers have uncovered two separate supply-chain campaigns that published trojanized npm package versions and used install-time execution to steal developer secrets and propagate further. The activity unfolded over the past week and targeted both developer machines and CI runners.

One campaign involved a Rust-based information stealer tracked as IronWorm. Analysis shows malicious package versions were published from a compromised npm account named “asteroiddao”. The packages used a preinstall hook to run a Rust ELF binary that collected environment variables and files likely to contain credentials for AI assistants, cloud services, container platforms and wallets. The malware targeted 86 environment variables and files associated with services such as OpenAI, Anthropic, Google Gemini, AWS, Docker, Kubernetes, npm and HashiCorp Vault, and searched for Exodus wallet data. The operator built logic to skip a specific wallet, and investigators found that wallet empty with no recorded transactions.

The IronWorm payload included a kernel-level eBPF component to hide processes and network sockets and used Tor for operator communications. Stolen GitHub credentials were used to push unauthorized commits across at least nine organizations. Those commits replaced existing GitHub Actions workflows with routines that collected secrets and uploaded them as build artifacts, removing the need for an external command-and-control server. In CI environments the malware abused npm’s Trusted Publishing flow to obtain short-lived tokens and publish poisoned package versions. The eBPF hiding techniques did not work on systems with kernel lockdown enabled.

A separate campaign delivered a new Miasma worm variant that compromised dozens of packages. Researchers attributed 57 compromised npm packages and more than 286 malicious versions to this wave. The attack used an unusual 157-byte binding.gyp file to trigger code execution during npm install and bypass many checks that monitor preinstall and postinstall scripts. The installer fetched the Bun JavaScript runtime for the host platform and used it to run a credential harvester that targeted AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH keys, password managers and AI coding assistant configurations.

Microsoft’s analysis showed the Miasma payload ran on Linux, macOS and Windows, with Linux CI runners appearing to be the main target. In CI environments the malware scraped runner memory for secrets, escalated privileges via passwordless sudo where possible, and republished poisoned packages with forged SLSA provenance. Stolen data was exfiltrated to GitHub accounts and public repositories that researchers found labeled with the text “Miasma: The Spreading Blight.” One account staged up to 236 repositories before it became inaccessible.

Multiple security teams linked several infection chains to compromised GitHub accounts used to push unauthorized commits. Because the underlying code has been shared and repurposed, investigators have not assigned firm attribution. Recommended immediate steps for developers include rotating exposed credentials, disabling automatic install scripts and native rebuilds where feasible, and pinning dependencies with integrity hashes to limit exposure.