IronWorm npm supply-chain infection and self-propagation
Malware Activity
Summary
Hide ▲
Show ▼
IronWorm is a Rust infostealer in a npm supply-chain activity that hides behind an eBPF kernel rootkit, communicates over Tor, and targets 86 environment variables and 20 credential files tied to OpenAI, AWS, Anthropic, npm, SSH, vaults, and Exodus wallet data. The initial intrusion was traced to the compromised asteroiddao account, and the malware has been observed using preinstall execution, stolen publishing credentials, and GitHub Actions-based secret movement to spread trojanized package versions. The activity infected 36 npm packages and was detected early enough to stop before it reached more popular packages.
Related Happenings
AsyncAPI malicious npm package supply-chain malware
Malware Activity
H score21
First: 15.07.2026 18:37
Last: 15.07.2026 18:37
Sources 1
About this happening:
Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
AsyncAPI malicious npm package supply-chain malware
Malware ActivityAbout this happening: Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...
Compromised @asyncapi npm packages distributing the Miasma loader
Malware Activity
H score29
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....
Compromised @asyncapi npm packages distributing the Miasma loader
Malware ActivityAbout this happening: Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....
AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
H score27
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
AsyncAPI repositories and npm publishing workflow hit by network compromise
IncidentAbout this happening: The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...
Jscrambler hit by network compromise
Incident
H score15
First: 13.07.2026 22:44
Last: 13.07.2026 22:44
Sources 1
About this happening:
The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
Jscrambler hit by network compromise
IncidentAbout this happening: The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...
Jscrambler 8.14.0 malicious preinstall infostealer release
Malware Activity
H score9
First: 11.07.2026 20:59
Last: 11.07.2026 20:59
Sources 1
About this happening:
The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on ...
Jscrambler 8.14.0 malicious preinstall infostealer release
Malware ActivityAbout this happening: The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on ...
Timeline
-
04.06.2026 18:25 3 articles · 1mo ago
IronWorm infects 36 npm packages
Initial DisclosureA supply-chain attack infected 36 npm packages with IronWorm, a Rust-based infostealer that hides behind an eBPF kernel rootkit, communicates over Tor, and targets 86 environment variables and 20 credential files that may hold OpenAI, AWS, Anthropic, npm, SSH, vault, and Exodus wallet secrets. The malware can self-propagate by abusing stolen npm publishing credentials, including Trusted Publishing secrets, to publish trojanized package versions that can reach additional developers and CI systems; Ox Security says the activity was detected very early and stopped before it spread to more popular packages, with guidance to upgrade to fixed releases, rotate keys, and enable 2FA.
Show sources
- New IronWorm malware hits 36 packages in npm supply-chain attack — www.bleepingcomputer.com — 04.06.2026 18:25
- New IronWorm malware hits 36 packages in npm supply-chain attack — www.bleepingcomputer.com — 04.06.2026 18:25
- IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — thehackernews.com — 05.06.2026 21:05