IronWorm + Miasma AI coding-agent injection: two supply-chain worms target cloud credentials and developer toolchains simultaneously

If you did nothing this week: any developer who cloned one of the 73 disabled Microsoft GitHub repositories and opened it in Claude Code, Cursor, Gemini CLI, or VS Code with AI extensions may have triggered malicious payload execution. Any CI/CD pipeline consuming azure-functions-action in the exposure window may have run attacker-controlled code. Any developer machine running npm packages from the affected @redhat-cloud-services or IronWorm-infected namespaces should be treated as credential-compromised.

IronWorm (disclosed by JFrog on 2026-06-03; daily 2026-06-06) is a self-propagating npm worm distributed across ~36 packages from a compromised publisher account (JFrog, 2026-06-03). Unlike the JavaScript-stager Shai-Hulud lineage, IronWorm executes a Rust ELF payload through a preinstall lifecycle hook (T1195.002), then deploys an eBPF object providing kernel-level process, socket and anti-debug concealment — hiding the implant from procfs-based enumeration and most EDR agents that rely on user-space telemetry. The command channel runs over Tor. The credential sweep targets AWS, GCP, Azure, HashiCorp Vault, Kubernetes, Docker, GitHub and npm tokens, plus the 2026 generation of AI-provider API keys (Anthropic, OpenAI, Gemini). Self-propagation reuses stolen npm Trusted Publishing credentials. Detection: alert on node/npm/npx spawning sh/bash during preinstall/postinstall; audit bpf() syscalls from non-privileged processes via auditd; watch CI/CD egress for Tor bootstrap traffic. Hardening: run npm install --ignore-scripts in CI, pin lockfile integrity, scope/rotate npm publish tokens.

Miasma's AI coding-agent injection (2026-06-05–06; daily 2026-06-06) planted a ~4.6 MB payload runner (4,643,745 bytes) in 73 Microsoft and Microsoft-adjacent GitHub repositories, wiring execution to workspace-config files — CLAUDE.md, .claude/commands/, .gemini/, .cursor/rules, .vscode/settings.json — so the trigger is a developer opening the repository in an AI-assisted IDE, not an npm install (StepSecurity; The Hacker News). GitHub disabled the affected repositories by June 6. StepSecurity forensics trace the entry-point account to the same contributor credentials compromised in the May 19 PyPI attack; full revocation was not confirmed (three hypotheses; non-revocation is the most parsimonious). Detection: treat workspace-config files from cloned repositories as untrusted data, not code, in CI/CD environments; monitor .claude/commands/, .gemini/, .cursor/rules for unexpected writes or outbound HTTP triggers; audit azure-functions-action workflows for execution in the exposure window.