MEDIUMSupply Chain
Global

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

·Source: The Hacker News

Updated:

Executive Summary

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and

Analysis

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and
Source Attribution

Originally published by The Hacker News on Jun 5, 2026.

Related Threats

MEDIUMSupply Chain

From SBOMs to AI BOMs: Why SPDX 3.0 Matters

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/from-sboms-to-ai-boms-why-spdx-3.0-matters" title="" class="hs-featured-image-link"> <img src="https://www.sonatype.com/hubfs/blog_ai_bom.png" alt="Image of a hexagon at center containing a checkmark icon" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </d

Sonatype (Maven/npm)
MEDIUMSupply Chain

Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories

The attacks stemmed from a GitHub account that was also compromised in a previous Miasmi attack on Microsoft last month.

Dark Reading
MEDIUMSupply Chain

Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks

The most recent variants of the self-propagating attacks are named Miasma and Hades. The post Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks appeared first on SecurityWeek .

SecurityWeek