Full Report
Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and
Analysis Summary
# Incident Report: IronWorm & Miasma Software Supply Chain Attacks
## Executive Summary
In early June 2026, the npm ecosystem was targeted by two distinct, highly sophisticated supply chain campaigns involving over 50 legitimate packages. The primary threat, a self-propagating worm named **IronWorm**, utilized a Rust-based information stealer and an eBPF kernel rootkit to scrape secrets and automate malicious code commits across GitHub. A concurrent campaign distributed a new variant of the **Miasma** worm, compromising hundreds of package versions to exfiltrate data via GitHub infrastructure.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** June 2026
- **Affected Organization:** npm ecosystem, GitHub, and various software development organizations
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026
- **Vector:** Compromised npm developer accounts (e.g., "asteroiddao") and "poisoned" versions of legitimate packages.
- **Details:** Attackers gained control of existing accounts or published trojanized versions of over 50 packages using preinstall hooks to execute malicious binaries.
### Lateral Movement
- **Mechanism:** The malware stole local Git and npm credentials from developers' machines.
- **Details:** Using these credentials, IronWorm automatically pushed malicious commits to repositories the victim had access to, mimicking legitimate users (e.g., using the name "claude" to impersonate AI-related services) to infect downstream projects.
### Data Exfiltration/Impact
- **Targets:** 86 environment variables, OpenAI/Anthropic/Gemini API keys, AWS/Docker/Kubernetes credentials, and Exodus cryptocurrency wallets.
- **Method:** IronWorm used Tor for C2 communication or swapped GitHub Actions workflows to upload secrets as "build artifacts," avoiding traditional network detection.
### Detection & Response
- **Discovery:** Identified by security researchers at JFrog, Endor Labs, and StepSecurity.
- **Response:** Compromised npm accounts and malicious versions were flagged; researchers identified the specific "asteroiddao" and "liuende501" accounts used as exfiltration/distribution points.
## Attack Methodology
- **Initial Access:** Trojanized npm packages; exploitation of npm's "Trusted Publishing" flow.
- **Persistence:** eBPF-based kernel rootkit to hide malicious processes and sockets.
- **Privilege Escalation:** Not explicitly detailed, but targeted high-privilege cloud/container credentials (AWS, K8s).
- **Defense Evasion:** Use of Tor for C2, hiding processes via eBPF, and naming commits after "[email protected][.]github[.]com" to blend with AI tool traffic.
- **Credential Access:** Scraping environment variables and local configuration files.
- **Discovery:** Automatic scanning of `~/.gitconfig`, `~/.npmrc`, and cloud provider config directories.
- **Lateral Movement:** Self-propagation via automated GitHub commits and re-publishing poisoned packages.
- **Collection:** Harvesting secrets from CI/CD artifacts and developer environments.
- **Exfiltration:** Tor-based upload and abuse of GitHub Actions build artifacts.
- **Impact:** Compromise of secret keys and integrity of the software supply chain.
## Impact Assessment
- **Financial:** Potential loss of funds through cryptocurrency wallet theft (though the example wallet was empty at the time of report).
- **Data Breach:** High-volume theft of sensitive API keys and cloud infrastructure secrets.
- **Operational:** Disruption of npm registry trust; requirement for widespread credential rotation.
- **Reputational:** Damage to affected open-source maintainers whose accounts were used to spread the worm.
## Indicators of Compromise
- **Network:** Communication with Tor relay nodes; traffic to `github[.]com/liuende501`.
- **File:** Rust-based ELF binaries executed via npm preinstall scripts.
- **Behavioral:** Unauthorized GitHub commits from the user `[email protected][.]github[.]com`; unexpected "build artifacts" in GitHub Actions.
## Response Actions
- **Containment:** Removal of malicious packages from the npm registry.
- **Eradication:** Revocation of compromised developer tokens and CI/CD secrets.
- **Recovery:** Restoring legitimate package versions and cleaning affected developer workstations.
## Lessons Learned
- **Credential Proliferation:** The attack highlights the danger of storing long-lived, high-privilege secrets in environment variables or plaintext config files on developer machines.
- **Automated Propagation:** Worm-like behavior in supply chains can scale faster than manual human response, requiring automated security gates in CI/CD.
## Recommendations
- **Enforce MFA:** Mandatory Multi-Factor Authentication for all npm and GitHub accounts.
- **Secret Management:** Transition from environment variables to secure secret managers (e.g., HashiCorp Vault, AWS Secrets Manager) and use short-lived tokens.
- **Binary Verification:** Use `npm install --ignore-scripts` where possible to prevent preinstall hook execution.
- **Enable Kernel Lockdown:** Use Linux distributions with kernel lockdown enabled to neutralize eBPF-based rootkits.