IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple coordinated software supply-chain attacks have targeted the npm ecosystem: IronWorm (a Rust-based infostealer that hides behind an eBPF kernel rootkit and self-propagates via trojanized packages and GitHub commits) and a Miasma worm variant (abusing a binding.gyp 'Phantom Gyp' trick and the Bun runtime to harvest credentials and inject persistent backdoors). The campaigns compromised npm/GitHub accounts, abused CI/trusted publishing flows to push poisoned package versions across dozens of packages and hundreds of versions, exfiltrated secrets to GitHub, and employed techniques that make detection and analysis difficult; developers are advised to rotate credentials, disable install scripts/native rebuilds, and pin packages with integrity hashes.