Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Asteroiddao hit by network compromise

Incident
First reported
Last updated
Happening score
H score 13
1 unique sources, 1 articles

Summary

Hide ▲

asteroiddao suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider supply-chain attack. The account was used to publish packages carrying a Rust ELF binary executed via preinstall. That compromise matters because it turned a trusted publishing identity into an infection path for developers and CI systems consuming npm packages.

Related Happenings

IronWorm npm supply-chain infection and self-propagation

Malware Activity
First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

How related: A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm.

About this happening: The **IronWorm** malware has infected **36 npm packages**, creating a supply-chain risk for developer and CI environments that can leak secrets and receive trojanized updates. It...

Open Happening

Miasma GitHub and npm supply-chain campaign

Campaign
First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: A **Miasma** supply-chain campaign has spread through **GitHub** and **npm** abuse, compromising **309 GitHub repositories** and widening the risk of credential theft across devel...

Open Happening

Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack

Incident
First: 01.06.2026 20:40 Last: 01.06.2026 20:40 Sources 1

About this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...

Open Happening

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Latest development: 29.05.2026 11:10

mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

Open Happening

Timeline

  1. 04.06.2026 18:25 2 articles · 1h ago

    IronWorm infects 36 npm packages in a supply-chain attack

    Initial Disclosure

    A supply-chain attack on the Node Package Manager (npm) index infected 36 packages with IronWorm, a Rust-based infostealer that targets 86 environment variables and 20 credential files, hides behind an eBPF kernel rootkit, and communicates over Tor. The attack began from a compromised account named asteroiddao that published malicious package versions and pushed commits, using preinstall execution to seed trojanized releases that could steal credentials and self-propagate through npm. The campaign was detected very early and stopped before it spread to more popular packages on npm.

    Show sources
    Open in new tab