Worms Steal Cloud Keys, AI Secrets via npm Packages

Self-replicating worms have made a significant return, stealing cloud keys and AI secrets. Cybersecurity insiders report that two worms, Miasma and IronWorm, emerged in the first week of June 2026. Attackers compromised a Red Hat employee's GitHub account. They then used it to publish malicious versions of 32 widely downloaded npm packages. The Miasma worm embedded in these packages executed instantly when "npm install" ran, using a preinstall hook. This worm swept GitHub tokens, cloud credentials, and CI/CD secrets. It then used stolen OIDC tokens to republish itself across other packages. The entire Red Hat compromise took just 72 seconds. By June 5, Miasma reached Microsoft, leading GitHub to disable 73 repositories. A new variant has since hit 57 packages across 286 malicious versions. In parallel, IronWorm, a Rust-built stealer, spread through over 50 poisoned packages. It uses custom modifications and an embedded eBPF rootkit for persistence, designed to evade detection. The key issue is that these worms ran before scanners or detection tools could react. This timing problem highlights a structural breakdown in the industry's defensive model. This matters because it means current security tools are often too late to prevent these sophisticated attacks.