Self-Propagating npm Malware Campaigns Spread via IronWorm and Shai-Hulud Packages
Security researchers reported multiple self-propagating npm supply-chain malware campaigns that used compromised maintainer accounts and poisoned package updates to infect developer and CI/CD environments. JFrog said IronWorm was distributed through 36–37 malicious npm packages republished from the compromised asteroiddao account, where preinstall hooks launched a Rust ELF payload on Linux. The malware stole credentials and secrets tied to AWS, npm, SSH, Vault, OpenAI, Anthropic, Kubernetes, and Exodus wallets, hid with an eBPF rootkit, and used Tor for command-and-control. Investigators also linked the activity to poisoned GitHub repositories across nine organizations, including backdated malicious commits attributed to spoofed automation identities such as claude, dependabot[bot], renovate[bot], and github-actions[bot].
A separate but related wave, tracked by Sonatype as Shai-Hulud "Miasma", pushed 281 malicious npm package versions and used binding.gyp with node-gyp to execute during installation, bypassing defenses that only inspect lifecycle scripts. Like IronWorm, the malware harvested developer and CI/CD secrets, validated stolen access, and republished trojanized versions of legitimate packages to continue spreading through repositories, build systems, and registries. Researchers said active exploitation was observed in the wild and warned that public impact may understate the full scope, particularly where private projects and CI runners were exposed through trusted publishing flows and compromised maintainer credentials.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
GitHub rejects two Deep Specter reports tied to Shai-Hulud evasion
Deep Specter Research said GitHub dismissed two formal vulnerability reports concerning client-supplied commit timestamps and unverified author metadata, which researchers argue help Shai-Hulud variants backdate malicious commits and impersonate trusted developers. GitHub reportedly classified the reports as ineligible and pointed to commit signing and Vigilant Mode as mitigations.
Miasma supply-chain worm toolkit is open sourced on GitHub
Researchers said the Miasma supply-chain attack toolkit was open sourced on GitHub via repositories named "Miasma-Open-Source-Release," likely through four previously compromised developer accounts. Wiz reported the release occurred on 2026-06-08 and described Miasma as a GitHub-centric toolkit for attacking package registries, repositories, CI workflows, and related developer infrastructure.
Researchers report Miasma-linked PyPI malware in 19 Python packages
A report described a supply-chain attack on PyPI involving 37 malicious wheel files across 19 Python packages, using Python .pth startup hooks to execute malware when the interpreter initializes. The activity was linked to the Mini Shai-Hulud / Miasma lineage and used Python loaders to install the Bun runtime and run an obfuscated JavaScript payload for credential theft and exfiltration.
Researchers report a new Shai-Hulud "Miasma" wave affecting 281 npm versions
Sonatype Security Research reported a new wave of the Shai-Hulud campaign, dubbed "Miasma: The Spreading Blight," involving 281 malicious npm package versions. The variant abuses binding.gyp and node-gyp execution during npm install to steal credentials and propagate through compromised maintainer accounts, repositories, CI/CD systems, and registries.
Malicious npm versions are deprecated after discovery
After the campaign was discovered, the malicious npm package versions were deprecated. No CVE or vendor patch was issued because the incident involved intentional malicious package compromise rather than a software vulnerability.
JFrog confirms IronWorm active exploitation in the wild
JFrog reported that IronWorm was actively exploiting developer and CI environments, stealing credentials, deploying an eBPF rootkit for stealth, and communicating over Tor. The malware was also found capable of self-propagation by abusing npm Trusted Publishing OIDC flows on CI runners without requiring stored npm tokens.
Malicious backdated commits are pushed to GitHub organizations
The attackers poisoned GitHub repositories across nine organizations with backdated malicious commits using spoofed automation identities including claude, dependabot[bot], renovate[bot], and github-actions[bot]. JFrog observed 14 confirmed malicious commits publicly and 57 backdated malicious commits in total across the compromised organizations.
Asteroiddao npm account is compromised and malicious packages are published
The IronWorm campaign began from a compromised npm account named "asteroiddao," which was used to republish dozens of malicious package versions that executed a Rust ELF payload via npm preinstall hooks. Reports describe 36 to 37 malicious packages tied to this compromise.
Ox Security says IronWorm campaign was detected early and contained
Ox Security stated that the IronWorm activity was detected early and contained before it spread into more popular npm packages. This assessment was reported alongside broader analysis of the campaign's propagation methods and credential theft behavior.
GitHub disables 73 repositories compromised in Miasma campaign
During the June 3, 2026 Miasma campaign, GitHub reportedly disabled 73 compromised repositories within 105 seconds of detection, including 49 associated with Microsoft, Azure, and Azure-Samples. The action followed attackers' use of stolen GitHub personal access tokens and backdated commits to plant malicious files that abused developer tooling and AI coding agent workflows.
StepSecurity reports Phantom Gyp wave hitting 57 npm packages
StepSecurity reported that on 2026-06-03 a 'Phantom Gyp' supply-chain attack compromised 57 npm packages across more than 286 malicious versions, including packages such as @vapi-ai/server-sdk and ai-sdk-ollama. The campaign used binding.gyp execution during npm install, exfiltrated secrets to attacker-controlled GitHub repositories under liuende501, and republished packages with forged SLSA provenance and Sigstore signing while also planting AI assistant backdoor files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
GitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceGitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say | The Record from Recorded Future News
therecord.media
Open source36 пакетов в npm атаковал новый червь IronWorm - Хакер
xakep.ru
Open sourceMiasma supply-chain attack toolkit goes public on GitHub
theregister.com
Open sourcenpm Supply Chain Worm IronWorm: Rust, eBPF Rootkit, Tor C2
phoenix.security
Open sourceRust-Written IronWorm Hits NPM Supply Chain
darkreading.com
Open sourceNew IronWorm malware hits 36 packages in npm supply-chain attack
bleepingcomputer.com
Open sourceIronWorm: Shai-Hulud's rustier cousin - JFrog Security Research
research.jfrog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026
Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments. Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat. The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
Mar 21, 2026
SANDWORM_MODE Shai-Hulud-Style npm Worm Targeting Developer and CI/CD Secrets
A **Shai-Hulud-like supply chain worm** tracked as **SANDWORM_MODE** is actively targeting the npm ecosystem using **typosquatted packages** and **poisoned GitHub Actions** to compromise developer workstations and CI/CD pipelines. Reporting attributes the campaign to at least **19 malicious npm packages** published under **two npm publisher aliases**, designed to appear legitimate and retain expected functionality while executing a **multi-stage JavaScript payload** when installed/imported. The malware focuses on stealing **npm and GitHub tokens**, environment variables, `.npmrc` credentials, crypto keys, and other developer/CI secrets, with CI environments seeing immediate execution (bypassing delays) to maximize theft and propagation during routine dependency installation. Technical analysis indicates SANDWORM_MODE extends prior Shai-Hulud tradecraft with additional propagation and exfiltration mechanisms, including **GitHub API-driven repo/workflow injection** using `GITHUB_TOKEN`, **HTTPS exfiltration with DNS fallback**, and persistence via hooks; it also includes fallbacks such as **SSH-based propagation**. The campaign is also described as incorporating **AI toolchain poisoning**, including **MCP server injection** with embedded prompt-injection content aimed at AI coding assistants and **LLM API key harvesting**. A configurable “dead switch” destructive routine is reported to be present but **disabled by default**, with logic that can trigger **home directory wiping** if the malware loses access to both GitHub (for exfiltration) and npm (for propagation), suggesting iterative development with feature flags and guardrails still visible in some builds.
May 20, 2026