IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Threat actors have compromised over 50 legitimate npm packages in coordinated supply chain attacks targeting JavaScript developers. The campaign distributes two distinct threats: a Rust-based information stealer tracked as IronWorm and a new variant of the Miasma worm.

IronWorm operates as an aggressive credential harvester. The malware scrapes authentication tokens, API keys, and other secrets from infected developer machines, then conceals itself using an eBPF kernel rootkit. This persistence mechanism complicates detection and removal, allowing the malware to operate beneath standard antivirus tools.

The Miasma worm variant exhibits self-propagating capabilities, automatically spreading to additional npm packages once installed. This worm-like behavior amplifies the attack surface and increases the number of compromised packages over time.

JFrog's researchers identified the poisoned packages masquerading as legitimate libraries. The attackers injected malicious code into existing, popular npm packages rather than creating entirely fake ones. This technique exploits the trust developers place in established dependencies and increases the likelihood of installation.

The npm ecosystem faces heightened risk from supply chain attacks targeting JavaScript development communities. Developers relying on third-party packages face credential theft and potential account compromise. Organizations using affected dependencies in production environments could experience unauthorized access to cloud services, databases, and internal systems tied to developer credentials.

npm maintainers and JFrog have worked to remove compromised packages and alert affected users. Developers should immediately audit their dependency trees for the malicious packages, regenerate all API credentials and tokens, and review access logs for suspicious activity. Organizations should implement Software Bill of Materials scanning and dependency verification tools to detect compromised packages before deployment.

The attacks underscore the persistent vulnerability of open-source ecosystems to adversary manipulation. Threat actors continue targeting npm specifically because JavaScript dominates web development and the registry hosts millions of packages