Skip to content

npm Ecosystem: Attacks with IronWorm and Miasma Variant Uncovered

In brief: Attackers use manipulated npm packages to inject malware with kernel rootkit components into developer machines.

Over 50 legitimate npm packages were compromised or poisoned to distribute a Rust-based information stealer and a self-propagating worm. JFrog has analyzed the campaign and describes a rootkit-based threat scenario.

Multiple attacks on the npm supply chain have destabilized developer ecosystems. Threat actors have both injected malicious code into legitimate packages and distributed poisoned versions – over 50 packages in total. A Rust-based information stealer and a self-propagating worm called Miasma were used for distribution.

According to JFrog’s analysis, the information stealer extracts secrets and credentials from developer machines and conceals itself behind an eBPF kernel rootkit. This technique significantly complicates detection and removal, as the rootkit operates at kernel level and is difficult to identify by typical security tools. The worm component (Miasma variant) enables independent propagation to additional systems and other dependencies.

For CTOs and security teams, this represents multi-layered risk: compromised developer credentials can lead to lateral movement within their own infrastructure; a kernel rootkit grants attackers deep persistence; the self-propagation mechanism amplifies spread risk across the entire supply chain. Affected organizations should review npm dependencies, scan developer machines for suspicious processes and eBPF rootkit signatures, and audit their secret management and access control for anomalies.


Source: thehackernews.com · Published June 5, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: