HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Supply Chain Attack: IronWorm and Miasma Worm Compromise 50+ npm Packages, Stealing Secrets via eBPF Rootkit

Threat actors poisoned over 50 npm packages, delivering the IronWorm Rust information stealer and the self‑spreading Miasma worm. The stealer harvests developer secrets and hides behind an eBPF rootkit, while the worm propagates across the ecosystem, creating widespread third‑party risk for any organization that consumes the compromised modules.

LiveThreat™ Intelligence · 📅 June 06, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Supply Chain Attack: IronWorm and Miasma Worm Compromise 50+ npm Packages, Stealing Secrets via eBPF Rootkit

What Happened — Threat actors poisoned more than 50 legitimate npm packages, distributing two malicious payloads: the Rust‑based IronWorm information stealer and a self‑spreading Miasma worm. IronWorm scrapes every secret it can locate on a developer’s workstation and hides behind an eBPF kernel rootkit, while Miasma can replicate across the npm ecosystem, infecting additional packages.

Why It Matters for TPRM

  • A supply‑chain compromise of a public package registry can cascade to any downstream organization that consumes the affected modules.
  • Harvested API keys, tokens, and SSH credentials enable credential‑stuffing and lateral movement against third‑party services, amplifying third‑party risk.

Who Is Affected — Technology and SaaS firms, cloud platforms, fintech companies, and any enterprise that incorporates npm packages into its software development lifecycle.

Recommended Actions — Conduct an immediate inventory of npm dependencies, enforce signed‑package verification, implement runtime monitoring for anomalous eBPF activity, and validate that your vendors maintain secure CI/CD pipelines and dependency‑checking tooling.

Technical Notes — Attack vector: third‑party dependency poisoning; exploit: malicious Rust binary with eBPF rootkit; data types exfiltrated: API keys, tokens, SSH keys, environment variables; no publicly disclosed CVE linked to the payloads. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →