"scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor." — JFrog
IronWorm: a Rust stealer that self-replicates through npm
Security researchers at JFrog have named a new malware strain IronWorm: a Rust-based information stealer published to the npm registry inside trojanized packages. The malicious binary is executed via a preinstall hook from a compromised npm account named "asteroiddao," and the payload is engineered both to harvest secrets and to publish poisoned packages that spread the infection.
JFrog said IronWorm "scrapes every secret it can find on a developer's machine" and communicates with operators via Tor. The stealer targets 86 environment variables and a sweeping list of credential sources and files, including configurations and credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, npm, vault configurations, and Exodus cryptocurrency wallet files. The malware contains logic to skip the threat actor's own wallet; JFrog noted the cryptocurrency wallet is empty and no transactions have been recorded.
IronWorm also uses stolen credentials to propagate, drawing comparisons to the Shai-Hulud worm. The campaign produced malicious commits across nine GitHub organizations under the author name "claude" ("claude@users.noreply.github.com") in an effort to mimic Anthropic's chatbot, and the malware used stolen credentials from an account named "ocrybit" to push commits that planted malware into additional packages.
Miasma worm variant: Phantom Gyp, Bun, and wide credential theft
Separately, Endor Labs and StepSecurity disclosed a large campaign serving a new Miasma worm variant that has compromised 57 npm packages across more than 286 malicious versions. This follows an earlier burst in which Miasma had infected 32 packages across more than 90 versions under the @redhat-cloud-services namespace within 72 seconds.
StepSecurity described an evasive technique it calls "Phantom Gyp": the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, "bypassing most install-script security checks entirely," researcher Sai Likhith said. The attack chain downloads and installs the Bun JavaScript runtime and uses it to load a credential harvester tailored to a broad set of targets including AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants.
StepSecurity and Microsoft described cross-platform operation: Microsoft said the payload "operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target." On developer systems the malware stole SSH keys, CLI credentials, browser and wallet data; in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged SLSA provenance.
Some of the affected packages named by researchers include:
- ai-sdk-ollama
- autotel
- awaitly
- eslint-plugin-awaitly
- node-env-resolver
Techniques that bypass protections: eBPF rootkit, GitHub workflow swaps, and artifact exfiltration
Both campaigns use techniques designed to evade conventional protections. IronWorm bundles an eBPF payload that functions as a kernel-level rootkit to hide processes and frustrate analysis; JFrog noted that on systems with kernel lockdown enabled the process-hiding tricks fail and the processes and sockets become visible. IronWorm also replaces existing GitHub Actions workflows with ones that harvest secrets, write them to a benign-looking file, and upload that file as a build artifact—eliminating the need for an external command-and-control server.
Miasma's use of Phantom Gyp specifically targets the blind spots of tools that focus on lifecycle install scripts. Both campaigns leverage CI-specific flows: IronWorm abuses npm's Trusted Publishing to obtain short-lived tokens for pushing poisoned packages, while Miasma republished packages with forged SLSA provenance to continue downstream propagation.
What this means for developers, CI teams, and package maintainers
- Developers and CI teams: Rotate credentials if you installed an affected package; Microsoft and StepSecurity reported token and memory scraping in CI runners, and researchers advise turning off install scripts and native rebuilds by default.
- Package maintainers and open-source projects: Watch for unexpected commits authored as "claude" or other impersonations, and for unusual changes to GitHub Actions workflows or the sudden presence of binding.gyp files sized around 157 bytes.
- Enterprise security and DevSecOps teams: Ensure packages are pinned with integrity hashes and monitor for artifacts or build uploads that could contain exfiltrated secrets, since both campaigns used artifact upload and GitHub-hosted repositories as exfiltration points.
Conclusion: GitHub as an adaptive C2 and open operational questions
Researchers warned the campaigns demonstrate how attackers are combining supply chain publication with trusted platforms to make network-level detection difficult. OX Security found additional Miasma stages that search GitHub commits for the string "firedalazer" to pull another payload, turning GitHub into an "adaptive C2," researchers Moshe Siman Tov Bustan and Nir Zadok said. Data exfiltration in Miasma was routed to a GitHub account "liuende501" that staged as many as 236 repositories; at the time of disclosure the account was inaccessible and it is not known whether GitHub removed it or the threat actor deleted it.
Attribution remains unclear. Red Hat said the root cause of the earlier Miasma incident was likely a compromised GitHub account used to push unauthorized commits into the RedHatInsights organization; researchers also noted overlap with the Shai-Hulud worm family but emphasized that public releases of Shai-Hulud complicate attribution.
The two campaigns together underline a simple operational fact: malicious actors are weaponizing the developer toolchain itself—npm packages, GitHub commits, Actions, and even AI-assistant configurations—to both harvest secrets and replicate. Short of eliminating those trust relationships, defenders must assume attackers will continue to innovate around lifecycle scripts, installer quirks like binding.gyp, and CI workflows.
