IronWorm Malware Campaign Targets Developers via Poisoned npm Packages
A sophisticated malware campaign, dubbed IronWorm, has been discovered targeting software developers particularly those in crypto and web3 through malicious npm packages. The attack leverages compromised developer workflows to steal credentials, API keys, and cryptocurrency wallet recovery phrases, while spreading autonomously via trusted supply-chain channels.
How the Attack Works
IronWorm infiltrates systems by hiding a Rust-based infostealer inside seemingly legitimate npm packages. When a developer runs npm install, the malware executes automatically, requiring no user interaction. The threat actor republished multiple npm packages from a hijacked account, embedding a hidden Linux binary in each.
Once active, IronWorm employs a kernel-level rootkit to evade detection, masking its processes and network activity from standard monitoring tools like ps and top. It communicates with its operator via the Tor network and uses obfuscation techniques, including a modified UPX packer and per-string decryption, to hinder reverse engineering.
Credential Theft & Self-Replication
The malware aggressively harvests sensitive data, scanning for 86 environment variables (covering cloud platforms, CI/CD systems, and AI service keys) and 20+ credential file paths, including wallet configurations. A dedicated module targets the Exodus desktop wallet, capturing passwords and recovery phrases upon unlock. Another module extracts Kubernetes service account tokens from pods.
IronWorm’s most dangerous feature is its self-replicating mechanism. After stealing credentials, it uses them to push backdated malicious commits into victims’ GitHub repositories, disguising them as routine maintenance (e.g., "fix: resolve lint warnings"). These infected packages are then published to npm, creating a supply-chain loop that spreads the malware further. Researchers identified 57 backdated commits across nine GitHub organizations, some timestamped years in the past to avoid scrutiny.
Scope & Indicators of Compromise
The campaign has impacted dozens of npm packages, including:
weavedb-lite@0.1.1arnext@0.1.5roidjs@0.1.7atomic-notes@0.5.3
Malicious commits were attributed to a fake GitHub email (claude@users.noreply.github.com), and the operator’s Ethereum wallet address (0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6) was hardcoded in the malware. The C2 endpoint (/api/agent) operates over Tor, and the malicious binary resides in a hidden path (tools/setup).
Mitigation & Response
Security firm JFrog recommends auditing repositories for backdated commits, unexpected build hooks, and unauthorized automation activity. All compromised API keys and secrets should be rotated immediately, and affected npm packages should be unpublished with security advisories issued.
The attack underscores the growing threat of supply-chain compromises, where trusted developer tools become vectors for large-scale credential theft and malware propagation.
Source: https://cybersecuritynews.com/ironworm-supply-chain-attack-uses-malicious-npm-packages/
Exodus TPRM report: https://www.rankiteo.com/company/exodus-intelligence
npm TPRM report: https://www.rankiteo.com/company/npm-inc-
GitHub TPRM report: https://www.rankiteo.com/company/github-securitylab
"id": "gitexonpm1780604646",
"linkid": "github-securitylab, exodus-intelligence, npm-inc-",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software Development, Cryptocurrency, '
'Web3',
'name': 'Developers in crypto and web3 industries',
'type': 'Individuals/Organizations'},
{'industry': 'Software Development',
'name': 'GitHub organizations with backdated commits',
'type': 'Organizations'}],
'attack_vector': 'Malicious npm packages, Backdated GitHub commits',
'data_breach': {'data_encryption': 'No (data stolen in plaintext)',
'data_exfiltration': 'Yes (via Tor network)',
'personally_identifiable_information': 'Recovery phrases, '
'Wallet passwords, API '
'keys',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, Financial Data, '
'Authentication Tokens)',
'type_of_data_compromised': 'Credentials, API keys, '
'Cryptocurrency wallet recovery '
'phrases, Kubernetes tokens, '
'Environment variables'},
'description': 'A sophisticated malware campaign, dubbed IronWorm, has been '
'discovered targeting software developers particularly those '
'in crypto and web3 through malicious npm packages. The attack '
'leverages compromised developer workflows to steal '
'credentials, API keys, and cryptocurrency wallet recovery '
'phrases, while spreading autonomously via trusted '
'supply-chain channels.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected organizations due to '
'supply-chain compromise',
'data_compromised': 'Credentials, API keys, Cryptocurrency wallet '
'recovery phrases, Kubernetes service account '
'tokens, Environment variables',
'identity_theft_risk': 'High (recovery phrases and credentials '
'stolen)',
'operational_impact': 'Unauthorized access to cloud platforms, AI '
'services, and cryptocurrency wallets; '
'Supply-chain compromise',
'systems_affected': 'Developer workstations, CI/CD pipelines, '
'GitHub repositories, npm packages'},
'initial_access_broker': {'backdoors_established': 'Backdated GitHub commits, '
'Hidden Linux binaries in '
'npm packages',
'entry_point': 'Malicious npm packages',
'high_value_targets': 'Crypto/web3 developers, '
'Kubernetes environments, '
'CI/CD pipelines'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Supply-chain attacks via trusted developer tools (e.g., '
'npm, GitHub) are a growing threat. Backdated commits and '
'automation abuse can evade detection. Credential rotation '
'and repository audits are critical post-compromise.',
'motivation': 'Credential theft, Cryptocurrency wallet compromise, Data '
'exfiltration, Supply-chain propagation',
'post_incident_analysis': {'corrective_actions': 'Enhanced npm package '
'verification, Repository '
'audits, Credential '
'rotation, Kernel-level '
'monitoring',
'root_causes': 'Compromised npm packages, Trusted '
'supply-chain channels, Lack of '
'developer workflow security '
'controls'},
'ransomware': {'data_encryption': 'No (infostealer, not ransomware)',
'data_exfiltration': 'Yes'},
'recommendations': ['Audit GitHub repositories for backdated commits and '
'unexpected automation activity.',
'Rotate all compromised API keys, secrets, and '
'credentials immediately.',
'Unpublish malicious npm packages and issue security '
'advisories.',
'Monitor for kernel-level rootkit activity and Tor-based '
'C2 communications.',
'Implement stricter npm package verification and '
'developer workflow security.'],
'references': [{'source': 'JFrog Security Research'}],
'response': {'communication_strategy': 'Security advisories issued',
'containment_measures': 'Auditing repositories for backdated '
'commits, Unpublishing affected npm '
'packages, Issuing security advisories',
'enhanced_monitoring': 'Recommended for detecting malicious '
'processes and network activity',
'remediation_measures': 'Rotating compromised API keys and '
'secrets, Removing malicious npm '
'packages',
'third_party_assistance': 'JFrog (security firm)'},
'stakeholder_advisories': 'Security advisories issued to affected developers '
'and organizations.',
'threat_actor': 'Unknown (IronWorm operator)',
'title': 'IronWorm Malware Campaign Targets Developers via Poisoned npm '
'Packages',
'type': 'Supply-Chain Attack, Malware Campaign',
'vulnerability_exploited': 'Trusted developer workflows, npm package '
'installation (no user interaction required)'}