npm Supply Chain Attacks Unleash Rust Stealer and Self-Spreading Worm

Michael Miller · 2026-06-05

The npm ecosystem has been hit by a wave of software supply chain attacks. Threat actors are using both malicious and poisoned versions of over 50 legitimate packages to distribute dangerous payloads. One is a Rust-based information stealer, and the other is a self-spreading worm. According to JFrog, the information stealer scrapes every secret it can find on a developer's machine. It hides behind an eBPF kernel rootkit, making detection tough. This is a serious wake-up call for anyone using npm packages. ### What's Happening in npm? These attacks are not just random. They're targeted. The threat actors are injecting malicious code into packages that look legitimate. Developers download them thinking they're safe. But once installed, the malware activates. The Rust-based stealer is particularly nasty. It collects credentials, API keys, and other sensitive data. It then sends that data back to the attackers. The eBPF rootkit helps it stay hidden, even from advanced security tools. The worm variant spreads on its own. It doesn't need a developer to download a malicious package. It can move through networks, infecting other machines. This makes it a serious threat for organizations.  ### How Developers Are Affected If you're a developer using npm, you need to be careful. These attacks can compromise your entire development environment. Your secrets could be stolen. Your projects could be infected. Here are some key concerns: - Stolen credentials can lead to account takeovers. - API keys can be used to access cloud services. - Source code can be exfiltrated. - The worm can spread to production servers. ### Staying Safe There are steps you can take. First, always verify the packages you download. Check their source and review their code if possible. Use tools that scan for vulnerabilities. Second, limit the permissions your development environment has. Don't run npm install as root. Use containers or virtual machines to isolate your work. Third, monitor for unusual activity. If a package suddenly updates with new code, be suspicious. Keep your dependencies up to date, but verify updates before applying them. ### The Bigger Picture Supply chain attacks are becoming more common. This isn't just an npm problem. It's a software industry issue. Attackers are finding it easier to target developers than to break into systems directly. The use of Rust for malware is also notable. Rust is known for its performance and safety. But attackers are using it to create efficient, hard-to-detect malware. This trend is likely to continue. ### What This Means for You If you work with npm, you're on the front lines. These attacks are designed to exploit trust. Developers trust packages to be safe. Attackers are abusing that trust. The best defense is awareness. Stay informed about the latest threats. Use security tools. And always question what you download. In a world where software is built on open-source components, we all have a role to play in security. Don't be the weak link. Protect your machine, your secrets, and your projects.