IronWorm npm – A new supply-chain attack has pushed IronWorm infostealer malware into 36 npm packages. Written in Rust, it targets 86 environment variables and 20 credential files, hides as an eBPF kernel rootkit, and uses Tor for operator communication. The campaign leverag
For anyone who trusts npm downloads to be boring, this one lands hard: a fresh supply-chain attack has infected 36 packages on the npm index with infostealer malware called IronWorm.
The malware is designed to go after high-value data quickly. It targets 86 environment variables and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials. It also looks for vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.
JFrog researchers say IronWorm is written in Rust and hides behind an eBPF kernel rootkit. Communication with the operator runs over the Tor network. And once it compromises a developer or CI environment. it doesn’t just steal—it can publish trojanized versions of packages owned by the victim. Those altered packages then infect additional developers and CI systems.
The way it spreads is built around one brutal idea: stolen credentials. IronWorm self-propagates by using credentials taken from the compromised environment to publish packages on npm. That includes secrets tied to npm’s Trusted Publishing workflow.
There’s also a timing trick in play. JFrog says the latest attack started from a compromised account named “asteroiddao. ” which published package versions containing a Rust ELF binary executed via “preinstall. ” pushing malicious commits into repositories. The commit author appears as “claude. ” and the timestamps point to several years ago—up to 13 years in some cases—despite the packages being pushed in the past few days. The goal is clear: make investigation harder by blending into older-looking history.
The delivery mechanism contains a quiet kind of audacity too. JFrog describes a step that relies on GitHub Actions to pass stolen secrets to the attacker. The malware serializes the secrets into a single value and writes it to a file with a harmless-looking name. as if it were lint or formatting output. Then it uploads that file as a build artifact—downloadable by anyone with access—so the threat actor can avoid using an external command-and-control (C2) channel.
Oddly, JFrog notes this GitHub Actions-based delivery mechanism was not used in the analyzed IronWorm supply-chain attack.
Another peculiar detail is tied to testing rather than stealth: the operator hardcoded the recovery phrase of their own cryptocurrency wallet. The researchers say the only reason was that the threat actor didn’t want the malware to steal that phrase during the test stage.
Researchers also found a surface-level overlap across campaigns. The IronWorm behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. JFrog didn’t find a clear connection between IronWorm and Shai Hulud. but they observed the same commit names in both supply-chain attacks. JFrog points to a possibility that IronWorm is an evolution of TeamPCP’s payload. describing it as “a custom. carefully built implant from an operation with its own infrastructure.”.
One more group added a different kind of reassurance—though it isn’t comfort. Ox Security says the IronWorm attack was detected very early and stopped before it spread to more popular packages on npm. Ox Security also provided a list of all impacted package names and their versions in its report. and it recommends that developers upgrade to fixed releases. rotate their keys. and enable two-factor authentication (2FA) for all accounts.
While IronWorm was unfolding, other teams reported something close but not the same. Endor Labs and StepSecurity spotted a very similar attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.
The sequence of facts makes the risk feel immediate: it targets credentials first. uses those credentials to publish poisoned packages. and then depends on CI and developer workflows to widen the blast radius. Even with early detection in at least one case. the core threat model is built to turn everyday package management into a propagation tool.
IronWorm npm supply-chain attack Node Package Manager eBPF rootkit Rust malware infostealer Tor Trusted Publishing GitHub Actions CI compromise credential theft Exodus wallet SSH keys OpenAI AWS credentials
npm really can’t catch a break. So people just get hacked because they ran one package? Wild.
Wait it says it targets OpenAI/AWS stuff and even vault files… but npm isn’t even supposed to be running that, right? Sounds like developers are letting malware in through credentials they “trusted publishing” or whatever. I’m not in IT so this is terrifying honestly.
It’s hiding as an eBPF kernel rootkit which I thought only works on Linux, so how are they getting it on everyone? Also the article said the commit timestamps are from years ago, but that doesn’t mean anything… time stamps can be faked. Still, I guess that’s the point? Idk.
I saw something like this before and it ended up being a “Rust” thing right? Like every time someone says Rust malware I automatically blame the ecosystem. If they’re using Tor too that’s extra sketchy, like it’s basically anonymous hacker club. Also “preinstall” sounds like install privileges? So maybe just don’t use preinstall scripts? not sure.