IronWorm and New Miasma Worm Variant Hit npm in Coordinated Supply Chain Attacks

The npm ecosystem is facing dual supply chain campaigns that researchers say represent a new wave of developer-targeting threats. IronWorm and a freshly identified variant of the Miasma worm have been discovered targeting npm packages simultaneously — with different techniques but a shared objective: stealing credentials and sensitive data from software developers.

According to research published by JFrog Security, both campaigns were active as of early June 2026, with IronWorm leveraging over 50 poisoned legitimate packages to distribute a Rust-based information stealer, and the Miasma variant using self-spreading mechanisms to propagate across maintainer accounts.

IronWorm: Rust-Based Infostealer Rides 50+ Legitimate Packages

IronWorm is a newly identified threat actor campaign that distinguishes itself through two factors: its choice of language (Rust) and its breadth of package poisoning.

How IronWorm Operates

The campaign works by injecting malicious code into legitimate, widely used npm packages — either by compromising maintainer accounts, publishing look-alike packages with similar names (typosquatting), or both. When developers install or update these packages, the malicious payload is pulled into their development environments.

The core payload is a Rust-compiled information stealer that targets:

Stored browser credentials (passwords, session cookies from Chrome, Firefox, Edge)
SSH private keys and known_hosts files
NPM authentication tokens (~/.npmrc credentials)
Cloud provider credential files (AWS ~/.aws/credentials, GCP, Azure CLI tokens)
Git configuration including stored tokens and commit author data
Cryptocurrency wallet files and seed phrase storage

The use of Rust is tactically significant: Rust binaries are compact, have minimal runtime dependencies, exhibit low memory signatures that may evade some behavior-based detectors, and are harder to reverse-engineer than interpreted payloads.

Scale of the Campaign

JFrog's analysis identified more than 50 legitimate npm packages that had been poisoned as part of the IronWorm campaign at the time of discovery. The packages span multiple categories including:

Front-end build tools and Webpack plugins
Testing utilities and assertion libraries
HTTP client wrappers
Date/time manipulation libraries

The breadth of package targeting suggests an automated or semi-automated campaign designed to maximize the probability of reaching developer machines at scale.

Miasma Worm: Self-Spreading Variant Targets Maintainer Accounts

The second campaign involves a new variant of Miasma, a worm-style malware that has previously appeared in supply chain contexts. The Miasma variant identified in this wave is notable for its self-propagation capability — once it gains access to a developer environment, it attempts to spread to additional npm maintainer accounts accessible from that machine.

Propagation Mechanism

The Miasma variant works as follows:

Initial infection arrives via a poisoned npm package installed by the target developer
The malware reads .npmrc files and any npm tokens cached in the environment
Using stolen npm credentials, Miasma publishes malicious updates to packages the compromised maintainer controls
These updates infect the next layer of developers who install them — creating a self-amplifying chain

This worm behavior dramatically increases the blast radius of a single initial compromise. A maintainer with access to 10 packages becomes an unwitting vector for infecting every developer who uses those 10 packages.

Credential Harvesting Focus

Unlike IronWorm's broad infostealer approach, the Miasma variant appears specifically optimized for npm credential theft and propagation — prioritizing lateral spread through the package ecosystem over general-purpose data theft.

Detection and Response

For Individual Developers

Check your npm environment for signs of compromise:

# Review recently installed packages and their integrity
npm audit
 
# Check npm token access — revoke any tokens you don't recognize
npm token list
 
# Review your .npmrc for unexpected registry configurations
cat ~/.npmrc
 
# Scan for recently modified credential files
find ~ -name ".npmrc" -newer ~/.bashrc -type f 2>/dev/null
find ~ -name "credentials" -path "*/.aws/*" -newer ~/.bashrc 2>/dev/null

For Organizations

# Audit installed packages against known-good lockfile
npm ci --audit
 
# Review all npm tokens associated with your organization's packages
# (via npm.js org settings or registry API)
 
# Enable npm's 2FA enforcement for all publishing accounts
# Settings → Security → Require 2FA for publishing
 
# Pin package versions in CI/CD rather than using semver ranges

Miasma-Specific Indicators

Watch for:

Unexpected npm publish activity from your accounts
New versions of your packages appearing that you did not author
Authentication alerts from npm for logins from unfamiliar IPs
.npmrc files modified without your action

Broader Context: npm Supply Chain Pressure

These two campaigns arrive in a period of sustained pressure on the npm ecosystem. The supply chain has faced repeated waves of attack throughout 2025 and 2026, including:

The Shai Hulud worm campaigns targeting multiple package registries
TeamPCP attacks poisoning packages from major software vendors
Multiple maintainer account takeover campaigns using phishing and credential stuffing
The Miasma worm's earlier appearances in PyPI and npm contexts

npm's recent introduction of 2FA-gated publishing and package install controls (announced May 2026) provides structural defense against some of these attacks, but adoption requires active opt-in from maintainers.

Key Takeaways

IronWorm deployed a Rust-based infostealer through 50+ poisoned npm packages, targeting developer credentials, SSH keys, cloud tokens, and crypto wallets
A new Miasma worm variant uses compromised npm maintainer credentials to self-propagate through the package ecosystem
Rust-based malware is increasingly favored by supply chain attackers for its stealth and resistance to analysis
Developers are the primary target — cloud credentials, SSH keys, and npm tokens harvested from developer machines enable follow-on attacks on infrastructure and downstream users
Immediate actions: audit recent package installs, rotate npm tokens, enable 2FA on all publishing accounts, and check for unauthorized package versions

Sources

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News
JFrog Security Research — npm Supply Chain Threat Analysis (June 2026)

IronWorm: Rust-Based Infostealer Rides 50+ Legitimate Packages

IronWorm is a newly identified threat actor campaign that distinguishes itself through two factors: its choice of language (Rust) and its breadth of package poisoning.

How IronWorm Operates

The core payload is a Rust-compiled information stealer that targets:

Stored browser credentials (passwords, session cookies from Chrome, Firefox, Edge)
SSH private keys and known_hosts files
NPM authentication tokens (~/.npmrc credentials)
Cloud provider credential files (AWS ~/.aws/credentials, GCP, Azure CLI tokens)
Git configuration including stored tokens and commit author data
Cryptocurrency wallet files and seed phrase storage

Scale of the Campaign

JFrog's analysis identified more than 50 legitimate npm packages that had been poisoned as part of the IronWorm campaign at the time of discovery. The packages span multiple categories including:

Front-end build tools and Webpack plugins
Testing utilities and assertion libraries
HTTP client wrappers
Date/time manipulation libraries

The breadth of package targeting suggests an automated or semi-automated campaign designed to maximize the probability of reaching developer machines at scale.

Miasma Worm: Self-Spreading Variant Targets Maintainer Accounts

Propagation Mechanism

The Miasma variant works as follows:

Initial infection arrives via a poisoned npm package installed by the target developer
The malware reads .npmrc files and any npm tokens cached in the environment
Using stolen npm credentials, Miasma publishes malicious updates to packages the compromised maintainer controls
These updates infect the next layer of developers who install them — creating a self-amplifying chain

Credential Harvesting Focus

Detection and Response

For Individual Developers

Check your npm environment for signs of compromise:

# Review recently installed packages and their integrity
npm audit
 
# Check npm token access — revoke any tokens you don't recognize
npm token list
 
# Review your .npmrc for unexpected registry configurations
cat ~/.npmrc
 
# Scan for recently modified credential files
find ~ -name ".npmrc" -newer ~/.bashrc -type f 2>/dev/null
find ~ -name "credentials" -path "*/.aws/*" -newer ~/.bashrc 2>/dev/null

For Organizations

# Audit installed packages against known-good lockfile
npm ci --audit
 
# Review all npm tokens associated with your organization's packages
# (via npm.js org settings or registry API)
 
# Enable npm's 2FA enforcement for all publishing accounts
# Settings → Security → Require 2FA for publishing
 
# Pin package versions in CI/CD rather than using semver ranges

Miasma-Specific Indicators

Watch for:

Unexpected npm publish activity from your accounts
New versions of your packages appearing that you did not author
Authentication alerts from npm for logins from unfamiliar IPs
.npmrc files modified without your action

Broader Context: npm Supply Chain Pressure

These two campaigns arrive in a period of sustained pressure on the npm ecosystem. The supply chain has faced repeated waves of attack throughout 2025 and 2026, including:

The Shai Hulud worm campaigns targeting multiple package registries
TeamPCP attacks poisoning packages from major software vendors
Multiple maintainer account takeover campaigns using phishing and credential stuffing
The Miasma worm's earlier appearances in PyPI and npm contexts

Key Takeaways

IronWorm deployed a Rust-based infostealer through 50+ poisoned npm packages, targeting developer credentials, SSH keys, cloud tokens, and crypto wallets
A new Miasma worm variant uses compromised npm maintainer credentials to self-propagate through the package ecosystem
Rust-based malware is increasingly favored by supply chain attackers for its stealth and resistance to analysis
Developers are the primary target — cloud credentials, SSH keys, and npm tokens harvested from developer machines enable follow-on attacks on infrastructure and downstream users
Immediate actions: audit recent package installs, rotate npm tokens, enable 2FA on all publishing accounts, and check for unauthorized package versions

Sources

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News
JFrog Security Research — npm Supply Chain Threat Analysis (June 2026)

IronWorm and New Miasma Worm Variant Hit npm in Coordinated Supply Chain Attacks

IronWorm: Rust-Based Infostealer Rides 50+ Legitimate Packages

How IronWorm Operates

Scale of the Campaign

Miasma Worm: Self-Spreading Variant Targets Maintainer Accounts

Propagation Mechanism

Credential Harvesting Focus

Detection and Response

For Individual Developers

For Organizations

Miasma-Specific Indicators

Broader Context: npm Supply Chain Pressure

Key Takeaways

Sources

OpenAI Codex Authentication Tokens Stolen via codexui-android npm Supply Chain Attack

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Shai-Hulud Worm Clones Spread After Code Release

IronWorm and New Miasma Worm Variant Hit npm in Coordinated Supply Chain Attacks

IronWorm: Rust-Based Infostealer Rides 50+ Legitimate Packages

How IronWorm Operates

Scale of the Campaign

Miasma Worm: Self-Spreading Variant Targets Maintainer Accounts

Propagation Mechanism

Credential Harvesting Focus

Detection and Response

For Individual Developers

For Organizations

Miasma-Specific Indicators

Broader Context: npm Supply Chain Pressure

Key Takeaways

Sources

OpenAI Codex Authentication Tokens Stolen via codexui-android npm Supply Chain Attack

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Shai-Hulud Worm Clones Spread After Code Release