Coordinated npm Supply Chain Attack Combines Information Stealer with Self-Propagating Worm
Threat actors have compromised over 50 npm packages to distribute IronWorm (a Rust-based information stealer with kernel rootkit capabilities) and a new Miasma worm variant capable of self-propagation. Developers using these poisoned packages face immediate risk of credential theft and persistent system compromise.
Affected
The attack represents a significant escalation in npm-targeted supply chain campaigns. Rather than single-stage droppers, threat actors have deployed dual payloads: IronWorm steals credentials and secrets whilst remaining hidden via an eBPF kernel rootkit, and a Miasma worm variant self-propagates to expand the attack surface. This dual-payload approach suggests either a sophisticated threat group or a collaboration between multiple actors.
The eBPF rootkit component is particularly concerning because it operates at the kernel level, making detection and remediation substantially harder than userland malware. Developers running affected packages will find credentials, API keys, SSH keys, and environment variables harvested automatically. The rootkit's persistence mechanisms likely survive package reinstalls and standard remediation procedures, creating a backdoor in affected developer machines.
The scale and coordination of poisoning 50+ legitimate packages indicates either widespread package maintainer compromise or a systematic exploitation of typosquatting or package name confusion. The Miasma worm's self-spreading capability means each compromised developer becomes a vector for further infection, potentially reaching CI/CD pipelines, build systems, and deployment infrastructure. This transforms the attack from a direct supply chain poisoning into a multi-stage intrusion framework.
Defenders should immediately audit npm package dependencies for the affected packages (specific names are critical but not provided in the truncated source). Organisations should regenerate all secrets and API keys from any system that installed these packages, assume potential rootkit infection, and consider rebuild of affected systems from clean media. The kernel-level rootkit component may persist across standard package removal and warrants elevated incident response protocols.
This attack pattern reflects evolving threat actor capabilities: the combination of information gathering (IronWorm), persistence (eBPF rootkit), and lateral movement (Miasma worm) resembles APT tradecraft applied to open source supply chains. The apparent targeting of developer machines suggests a long-term intrusion strategy focused on downstream victims rather than immediate impact.
Sources