Supply Chain Attack: IronWorm and Miasma Worm Compromise 50+ npm Packages, Stealing Secrets via eBPF Rootkit
What Happened — Threat actors poisoned more than 50 legitimate npm packages, distributing two malicious payloads: the Rust‑based IronWorm information stealer and a self‑spreading Miasma worm. IronWorm scrapes every secret it can locate on a developer’s workstation and hides behind an eBPF kernel rootkit, while Miasma can replicate across the npm ecosystem, infecting additional packages.
Why It Matters for TPRM —
- A supply‑chain compromise of a public package registry can cascade to any downstream organization that consumes the affected modules.
- Harvested API keys, tokens, and SSH credentials enable credential‑stuffing and lateral movement against third‑party services, amplifying third‑party risk.
Who Is Affected — Technology and SaaS firms, cloud platforms, fintech companies, and any enterprise that incorporates npm packages into its software development lifecycle.
Recommended Actions — Conduct an immediate inventory of npm dependencies, enforce signed‑package verification, implement runtime monitoring for anomalous eBPF activity, and validate that your vendors maintain secure CI/CD pipelines and dependency‑checking tooling.
Technical Notes — Attack vector: third‑party dependency poisoning; exploit: malicious Rust binary with eBPF rootkit; data types exfiltrated: API keys, tokens, SSH keys, environment variables; no publicly disclosed CVE linked to the payloads. Source: The Hacker News