Supply chain attacks against the npm ecosystem have intensified, with two distinct campaigns hitting developer environments in early June 2026: a Rust-based infostealer called IronWorm and a new variant of the self-propagating Miasma worm. Both abuse compromised npm accounts and preinstall hooks to execute payloads during package installation and exfiltrate credentials.
IronWorm, analyzed by JFrog, was traced to a compromised npm account named “asteroiddao,” which published package versions carrying a Rust ELF binary executed via a preinstall hook. The malware hides behind an eBPF kernel-level rootkit to conceal its processes and network activity, and communicates with its operator over Tor. It sweeps 86 environment variables and more than 20 credential files, targeting secrets for AWS, Google Cloud, Azure, Docker, Kubernetes, npm, SSH keys, cryptocurrency wallets, and AI provider keys including Anthropic, OpenAI, and Google Gemini. Like the earlier Shai-Hulud worm, IronWorm turns stolen credentials into a propagation mechanism, pushing backdated commits into victims’ GitHub repositories and republishing trojanized packages to npm using trusted developer workflows.
The Miasma variant works differently. Rather than relying on the preinstall or postinstall lifecycle scripts that security tools commonly monitor, it uses a technique researchers have dubbed “Phantom Gyp”: a 157-byte binding.gyp file that triggers code execution through node-gyp during npm install, bypassing most install-script security checks. The payload downloads the Bun JavaScript runtime to execute its implant and sweep secrets across cloud platforms, SSH, and AI assistant configurations. Miasma first surfaced on June 1, 2026, when it compromised 32 packages under Red Hat’s @redhat-cloud-services namespace via a hijacked CI/CD pipeline. Two days later, on June 3, the Phantom Gyp wave compromised 57 packages across more than 286 malicious versions in under two hours, with @vapi-ai/server-sdk and ai-sdk-ollama among the hardest hit through the maintainer account “jagreehal.”
Both campaigns also swap or inject GitHub Actions workflows that harvest secrets and upload them as build artifacts, in some cases without requiring a dedicated command-and-control server. Red Hat confirmed no official products were affected by the namespace compromise.
Security firms including JFrog, StepSecurity, and Endor Labs have issued advisories urging developers to audit dependencies, verify package sources, rotate exposed credentials, and tighten access controls on npm accounts. The use of binding.gyp files, trusted publishing workflows, and CI pipelines as attack vectors points to a growing trend in supply chain compromises that evade conventional, script-focused monitoring.
Sources: