New IronWorm malware hits 36 packages in npm supply-chain attack
Source: Bleeping Computer
A new supply‑chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm.
The malware targets 86 environment variables (key‑value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.
According to researchers at supply‑chain and DevOps company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network.
Technical Details
Malware capabilities
- Data exfiltration: steals environment variables and credential files, including tokens for OpenAI, AWS, Anthropic, npm, SSH keys, and Exodus wallet files.
- Persistence: embeds an eBPF kernel rootkit to maintain low‑level access.
- Command & control: uses the Tor network for encrypted communications.
Propagation method
IronWorm self‑propagates by using stolen credentials to publish malicious versions of npm packages. It exploits npm’s Trusted Publishing workflow, allowing an attacker who compromises a developer or CI environment to push trojanized packages that subsequently infect other developers and CI systems.
Commit manipulation
- The initial compromise originated from a compromised account named
asteroiddao, which published package versions containing a Rust ELF binary executed via thepreinstallscript. - Commits appear to be authored by “claude” with timestamps dating back up to 13 years, despite being pushed only days ago. This tactic is intended to hinder forensic analysis.
Delivery mechanism (GitHub Actions)
JFrog observed a mechanism that serializes stolen secrets into a single value, writes it to a harmless‑looking file (e.g., lint or formatting output), and uploads the file as a build artifact. While this approach could allow the attacker to retrieve secrets without a traditional C2 server, the researchers note that it was not employed in the analyzed IronWorm attack.
Operator wallet phrase
The attacker hard‑coded the recovery phrase of their own cryptocurrency wallet into the malware. Researchers believe this was done to prevent the malware from stealing the wallet during testing.
Detection and Mitigation
- Ox Security detected the IronWorm attack early and halted its spread before it could affect more popular npm packages.
- Ox Security provides a list of all impacted package names and versions, recommending that developers:
- Upgrade to the fixed releases.
- Rotate all compromised keys.
- Enable two‑factor authentication (2FA) for all npm accounts.
Related Findings
- The behavior of IronWorm is conceptually similar to the earlier Shai Hulud campaign, which also leveraged stolen credentials to publish malicious npm packages. Although JFrog did not find a direct link, both attacks share identical commit names.
- Endor Labs and StepSecurity reported a distinct but contemporaneous attack involving a JavaScript‑based malware named binding.gyp, which performed registry poisoning and GitHub Actions infection.