Several software supply chain attacks have impacted the NPM ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute Rust-based information stealing and self-propagating worms, respectively.
According to JFrog, the information stealer “exploits every secret found on the developer’s machine, hides behind an EBPF kernel rootkit, and answers to its operator over Tor.”
The attacker also uses stolen credentials as a propagation mechanism, drawing parallels to the infamous Shai-Hulud worm. The new malware has been given a codename ironworm Software by supply chain security company. By publishing itself in the npm registry as a trojanized package, the approach results in a self-replicating attack.
The malicious activity has been traced to a compromised NPM account named “asteroiddao”, which was found to be publishing package versions containing the Rust ELF binary that is executed via a preinstall hook.
The malware targets 86 environment variables, various files that may include credentials associated with OpenAI codecs, Anthropic, Cloud, Google Gemini, cursors, Amazon Web Services (AWS), Docker, Kubernetes and NPM, Vault configuration, and Exodus cryptocurrency wallet files.
One unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to abandon the threat actor’s own wallet. At the time of writing, the cryptocurrency wallet is empty, and no transactions have been recorded.
JFrog describes Ironworm as “a supply chain weapon designed to find secrets, modify projects, and inject malicious code into GitHub to self-promote.” In an attempt to mimic Anthropic’s artificial intelligence (AI) chatbot, a malicious commit involving nine GitHub organizations has been introduced under the author name “Claude” (“claude@users.noreply.github.com”).
“The malicious NPM package was published by AsteroidDAO; AsteroidDAO corresponds to the asteroid-dao GitHub organization; and Aucribit is a member of that organization as well as related Arwave organizations,” the company reported.
“The malware stole Aucribit’s credentials and used them to push commits to repositories it could access. Those commits planted the malware in other packages, which could be published and infect the next developer. And then it disappeared.”
Additionally, the malicious payload is equipped to swap out the existing GitHub Actions workflow to collect secrets, write it to a harmless-looking file, and upload it as a build artifact, eliminating the need for an external command-and-control (C2) server.
The capabilities of malware don’t end there. In a CI environment, it abuses npm’s trusted publish flow to obtain short-lived tokens to push poisoned versions containing malware to the registry.
It also contains an EBPF payload that acts as a kernel-level rootkit to hide processes and thwart analysis. However, on systems where kernel lockdown is enabled, process-hiding tricks fail, and purported processes and sockets become visible again.
Miasma bug resurfaces
The disclosure comes as Andor Labs and StepSecurity shed light on a separate supply chain attack campaign that compromised 57 NPM packages in more than 286 malicious versions to serve a new version of the Miasma worm, which previously infected 32 packages in more than 90 versions under the @redhat-cloud-services npm namespace within 72 seconds earlier this week.
Some of the affected packages are listed below –
- ai-sdk-olma
- autotel
- waiting for
- impact analyst
- eslint-plugin-await
- executable-stories-cypress
- http-uploader-dev
- hill
- node-env-resolver
- node-env-resolver-aws
The data stolen through the malware is transferred to the now inaccessible GitHub account “liuende501”, which serves as an exit point. The account had 236 repositories staged. It is currently unknown whether GitHub has removed the account or whether the threat actor has removed it himself.
“This wave uses a technique we’re calling ‘phantom zip’: instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker misuses a 157-byte binding.zip file to trigger code execution during an npm install, completely bypassing most install-script security checks,” said StepSecurity researcher Sai Likhit.
Like the case with Miasma, the attack chain has been engineered to download and install the Bun JavaScript runtime, using it to load a comprehensive credential harvester designed to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants.
“The most innovative and worrying capability of this version is the targeting of AI coding assistant configurations,” the company said. “The malware persistently injects backdoor files into the project repository that are executed when a developer opens the project in their AI-assisted IDE.”
Developers who installed the affected version are advised to rotate credentials, turn off install scripts and native rebuilds by default, and ensure that packages are pinned with integrity hashes.
In an update shared this week, Red Hat revealed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization.
Microsoft said of the campaign, “The payload operates on Linux, macOS, and Windows by dynamically downloading the correct BUN runtime for each platform, although Linux CI/CD runners appear to be the primary target.”
“On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser, and wallet data, while in CI/CD environments it scraped GitHub Action Runner memory for secrets, escalated privileges using passwordless sudo, and forged supply-chain levels of provenance for software artifacts (SLSAs) to continue downstream propagation. Republished poisonous packages with “.
The Miasma payload is considered a derivative of the Shai-Hulud worm used by TeamPCP in recent campaigns, introducing largely “cosmetic” changes while keeping the underlying functionality the same. Despite the overlap in tradecraft, responsibilities for the latest set of attacks remain unclear, given that TeamPCP has publicly released the Shai-Hulud code.
OX Security has since disclosed additional steps in the Miasma attack chain, including searching a GitHub commit containing the string “firedelezer” (replacing the previously marked “firescale” dead drop) to retrieve another payload, a JavaScript file (“index.js”) that contains an alternate version of the Shai-Hulud worm, effectively turning the infection into a perpetual loop.
In this case, the stolen data is pushed to public GitHub repositories, each described as “Miasma: The Spreading Blight” or “Miasma – The Spreading Blight”. It is important to note here that the previous version read “Miasma: The Spreading Blight” with no space between Miasma and the “:” symbol. There are currently 82 such repositories created on user accounts “0tabek16” and “windy629”.
Security researchers Moshe Siman Tov Bustan and Nir Zadok said, “The threat actor could dynamically change ‘FireLedger’ commits in GitHub, allowing new versions of the malware to be more adaptive and more sophisticated.”
“This turns GitHub into something even more dangerous than a dead drop. It’s an adaptive C2 – one that piggybacks on a trusted, widely whitelisted platform, making network-level detection almost useless. Most security tools are not configured to treat GitHub traffic as suspicious. The threat actor knows this.”
