The npm Worm Is Now in the AI Toolchain
Miasma, codexui-android, and the Meta support-bot incident all point at the same uncomfortable pattern: developer and AI workflows are becoming account-recovery, credential, and deployment surfaces.
The scary part of the Miasma npm campaign is not that attackers used a package install script to steal secrets.
That part is depressingly familiar.
The scary part is where the worm looked for leverage: GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes material, Vault data, SSH keys, Git credentials, Claude Code hooks, VS Code tasks, and GitHub workflows. It did not treat the developer machine as a laptop. It treated it as the place where production is born.
That is the right mental model now.
A compromised developer workflow is not just a compromised endpoint. It is a confused deputy with access to source code, CI, release artifacts, cloud identity, package registries, and increasingly AI agents that can make changes faster than anyone can review them.
Miasma went after the build chain
The Hacker News reported that the Miasma campaign compromised several @redhat-cloud-services npm packages. The malicious packages used an obfuscated preinstall hook, which means the code could run before the developer ever imported anything.
That is why package-install malware keeps working. People still think of dependencies as code they choose to call. Install scripts flip that around. The package calls you first.
According to the report, the payload collected credentials from developer and CI environments, exfiltrated encrypted data, and had mechanisms for downstream propagation. It could enumerate writable GitHub repositories, inspect workflows, and commit workflow changes through the GitHub API. It also checked for endpoint protection tools and tried to establish persistence through developer tooling.
One detail should bother anyone using agents for engineering work: the malware reportedly injected a Claude Code SessionStart hook and a VS Code tasks.json entry with runOn: "folderOpen".
That is not just theft. That is persistence in the place developers keep returning to.
Deleting node_modules after an incident like this is mostly theatre. If the package had access to tokens, workflow credentials, local SSH keys, or editor hooks, the cleanup has to assume the whole development path may have been touched.
Codex tokens are credentials, not vibes
A second story from the same day makes the pattern even clearer. Researchers said codexui-android, a real npm package advertised as a remote web UI for OpenAI Codex, quietly exfiltrated Codex authentication data from ~/.codex/auth.json to an attacker-controlled endpoint.
The associated GitHub repository reportedly stayed clean while the npm package carried the malicious code. That is a nasty split because many developers still inspect the repo and assume the published artifact matches it.
The stolen data mattered because Codex auth is not decorative. The report says the captured material included access tokens, refresh tokens, ID tokens, and account IDs. A refresh token is durable access. If an attacker gets it, rotating a password in a panic may not be the end of the story.
This is where AI tooling changes the threat model. A token for an AI coding assistant can expose prompts, repositories, local workflows, and whatever permissions the tool can reach. If the assistant can open files, run commands, create branches, or talk to hosted services, its token belongs in the same threat bucket as a developer credential.
Treat ~/.codex/auth.json like a password file because that is what it is.
Support bots are part of account security now
KrebsOnSecurity covered a different angle: attackers allegedly tricked Meta's AI support assistant into adding a new email address during Instagram account recovery. Meta said the issue had been resolved and impacted accounts were being secured.
The interesting bit is not whether this exact bug is gone. The interesting bit is that a chatbot was allowed anywhere near a recovery flow that could change who controls an account.
Support has always been a security boundary. Humans at call centers get socially engineered. Automated reset flows get abused. Now companies are putting conversational AI in the middle because it reduces support friction.
Fine. But if the bot can alter account recovery state, it is not a help widget. It is an identity system with a chat interface.
That means it needs the boring controls: strict state machines, narrow permissions, strong step-up checks, logging, abuse detection, and hard stops when the request changes ownership. A model being polite is not an authorization decision.
The pattern is bigger than npm
The common thread across these stories is delegation.
We delegate package trust to registries. We delegate release work to CI. We delegate local development chores to editors and agents. We delegate account recovery to support systems. Every delegation creates a place where an attacker can ask, "What can I make this system do for me?"
Miasma asked the developer toolchain to leak and propagate. The Codex package asked an AI tool to hand over durable auth. The Meta incident allegedly asked a support bot to relink an account.
Different doors. Same building.
The practical answer is not to stop using npm, AI tools, or support automation. That is not happening. The answer is to stop pretending these surfaces are low-risk because they sit one step away from production.
For developers and small teams, I would start here:
- Disable install scripts by default where you can, and make exceptions explicit.
- Keep AI assistant auth files out of repos, tickets, chats, logs, and screenshots.
- Use separate accounts or scoped tokens for coding agents instead of handing them your main identity.
- Rotate credentials after malicious package exposure, but also inspect editor hooks, shell profiles, GitHub workflows, CI artifacts, and published packages.
- Treat account recovery automation as privileged infrastructure, not customer-support decoration.
None of this is glamorous. Good. Glamour is usually what gets people to install the thing in the first place.
The uncomfortable lesson from this week is that the toolchain is no longer just compilers and package managers. It is CI, cloud identity, local agents, editor automation, app-store wrappers, OAuth caches, and support bots stitched together with tokens.
Attackers noticed.
Defenders should stop acting surprised.
Sources: The Hacker News — Miasma supply-chain attack, The Hacker News — Codex token theft in codexui-android, KrebsOnSecurity — Meta AI support bot Instagram hijacks