Cybersecurity researchers have discovered multiple malware attacks targeting npm, a massive library of software code that developers use to build applications. These attacks represent a serious threat to the entire software supply chain—the network of tools and code that companies depend on to create software.
The first attack involved malware called IronWorm, which compromised 36 different software packages on npm. A second attack used a malware variant called Miasma Worm, which hit 73 repositories on Microsoft's GitHub platform. Another version of Miasma specifically targeted Red Hat npm packages, stealing login credentials from developers who used the code.
In a separate but related incident, attackers compromised a package called codexui-android on npm and stole authentication tokens from OpenAI Codex, a tool that helps developers write computer code more easily. These tokens are digital keys that grant access to important accounts, making them valuable targets for criminals.
The attacks work by hiding malicious code inside legitimate-looking software packages. Developers download these packages thinking they're getting helpful tools, but they're actually installing malware onto their computers or systems. Once installed, the malware can steal passwords, access credentials, and other sensitive information.
Supply-chain attacks like these are particularly dangerous because they target the foundation of how software gets built. When attackers compromise popular libraries that thousands of companies use, the damage spreads quickly. Each developer or company that downloads an infected package becomes a potential victim.
Security researchers caught these attacks by analyzing suspicious activity in the packages and discovering the hidden malicious code. They identified patterns showing how the malware collected and transmitted stolen information. The discovery triggered alerts to developers using the affected packages, warning them to stop using the compromised code immediately.
Companies and individual developers are now working to remove the infected packages from their systems. Security experts recommend that anyone using npm packages review their code carefully and update their security practices. This includes using strong passwords, enabling additional security layers on accounts, and monitoring for unauthorized access.
These incidents highlight growing concerns about the security of open-source software—free code that developers share publicly. While open-source tools offer many benefits, they can also become targets for attackers looking to reach large numbers of developers at once. The cybersecurity community continues working to improve protections for these widely-used software libraries.