Hackers launched coordinated supply chain attacks against popular software repositories, infecting dozens of packages that developers rely on to build applications. The attacks involved multiple malware variants, including IronWorm and new versions of the Miasma worm, targeting both npm and Microsoft GitHub platforms.
The IronWorm malware compromised at least 36 packages in the npm supply chain attack. npm is a massive repository where developers share reusable code to build software applications more quickly. When hackers poison packages in these repositories, their malware can spread to thousands of projects that download and use the infected code.
The Miasma worm proved even more widespread, hitting 73 Microsoft GitHub repositories in a separate major supply chain attack. GitHub is one of the world's largest platforms where developers store and collaborate on code projects. The Miasma worm variant also specifically targeted Red Hat npm packages, stealing credentials from systems that downloaded the infected software.
Credential theft represents one of the most dangerous aspects of these attacks. When malware steals authentication tokens and passwords, attackers gain direct access to developers' accounts and systems. This enables further infiltration and expansion of the attack.
One particularly concerning attack involved the codexui-android package, which was compromised in an npm supply chain attack that stole OpenAI Codex authentication tokens. These tokens provide access to OpenAI's powerful code-generation tools, which attackers could abuse or resell.
Supply chain attacks work differently than traditional hacking. Instead of targeting companies directly, attackers compromise trusted software that many organizations use. When developers unknowingly download poisoned packages, malware enters their systems automatically. This approach allows hackers to affect thousands of victims with a single attack.
The frequency of these attacks highlights growing vulnerabilities in how software gets developed and distributed. Millions of developers worldwide depend on package repositories like npm to access pre-written code components. However, security monitoring of these repositories remains inconsistent, creating opportunities for malicious code to slip through.
These recent attacks affected multiple software ecosystems and stole valuable credentials and authentication tokens. Organizations that use npm packages or GitHub repositories should review their security practices and monitor their systems for suspicious activity. Developers are advised to check whether their projects depend on any compromised packages and update immediately to clean versions when available.