A newly discovered supply chain attack, named “IronWorm,” has raised significant concerns within the developer community as it exploits malicious npm packages to infiltrate developer environments. This attack has the ability to compromise sensitive credentials and propagate itself across various repositories, mimicking a worm-like infection pattern.
The primary focus of the IronWorm campaign is on software developers involved in the crypto and Web3 ecosystems. The strategic targeting of these sectors is due to the inherently exposed secrets that could yield immediate financial gains for malicious actors. As such, the threat posed by IronWorm cannot be understated, as it aims to capitalize on vulnerabilities within these rapidly evolving technological landscapes.
Researchers first noted the suspicious activity associated with IronWorm when they observed multiple npm packages republished in quick succession, each of which contained a native binary executed through a preinstall hook. One of the identified packages was “weavedb-sdk,” specifically version 0.45.3. This particular package harbored a hidden Linux ELF binary within its tools directory, which was executed automatically upon installation—completely bypassing any user interactions.
Upon conducting an initial analysis, researchers discovered that this binary had been packed with a modified UPX stub, aimed at evading standard unpacking mechanisms. By restoring the altered UPX signature, researchers were able to unpack the binary and reveal a significantly large payload written in Rust. The choice of Rust as the programming language added an additional layer of complexity for reverse engineers due to Rust’s extensive runtime and compiled abstractions, rendering the malware even more challenging to dissect.
Furthermore, individual strings within the malware’s code were encrypted using unique keys for each specific call site, necessitating separate decryption efforts to uncover the operational details. Once decrypted, the full scope of IronWorm’s capabilities came into focus. This sophisticated piece of malware operates as a complete infostealer and propagation engine targeting developer secrets across a multitude of environments, including cloud platforms, continuous integration/continuous deployment (CI/CD) pipelines, AI services, and local credential files.
The malware is meticulously designed to scan over 80 environment variables and an extensive variety of credential file paths. It specifically targets modern AI tool configurations alongside traditional cloud credentials, showcasing the comprehensive reach of its operational mandate. A report from JFrog, shared with GBhackers, highlighted that the attack was first observed in npm packages published by an account named “asteroiddao,” which is associated with the asteroid-dao GitHub organization operational within the Arweave ecosystem.
In addition to pilfering credentials, IronWorm includes specialized modules intended to attack Exodus cryptocurrency wallets. These modules achieve their malicious objectives by injecting harmful JavaScript into the wallets to capture user passwords and recovery phrases.
A particularly notable feature of IronWorm is its self-propagation mechanism. The malware utilizes stolen GitHub credentials to introduce malicious commits into platforms it can access. These commits often embed build-time execution hooks or replace existing GitHub Actions workflows with pipelines engineered for harvesting secrets.
In one observed technique, the malware serializes repository secrets utilizing GitHub Actions expressions and exfiltrates them as build artifacts, cleverly circumventing the need for external command-and-control communication. Additionally, some of these malicious commits remained in view after compromised accounts were flagged, revealing that the attacked account had been notably active, contributing approximately 4,500 commits to private projects that same month.
Taking further steps to obscure its activities, attackers utilized advanced evasion tactics to weave their malicious actions into legitimate workflows. Commits were backdated artificially to appear as if they were made years ago, exploiting Git’s flexible timestamping feature. The attackers also disguised their identities as benign contributors by spoofing author names like “claude” or utilizing automated bots such as dependabot.
Research efforts identified a total of 57 malicious commits across nine distinct organizations, although it is likely that the true scope of the attack is larger due to activities taking place within private repositories. IronWorm even incorporates an embedded ELF file: a BPF object compiled with clang version 22.1.5. While the original build path was preserved in the binary, the compiler’s metadata implied further complexities concerning detection and analysis.
Exploiting npm’s Trusted Publishing mechanism, IronWorm requests an OpenID Connect (OIDC) token when executed in CI environments. Subsequently, it exchanges this token for a short-lived npm publishing token, allowing it to release trojanized package versions without directly managing sensitive credentials.
At the system level, IronWorm deploys an eBPF-based rootkit designed to conceal its existence by hiding processes, network connections, and impeding debugging attempts through manipulations at the kernel level. Although on hardened systems with kernel lockdown enabled some of these stealth capabilities may be diminished, IronWorm still poses a viable threat.
To establish command and control, IronWorm utilizes the Tor network, embedding Tor clients within itself to anonymize its traffic. It offers functionalities for data exfiltration, payload delivery, and remote shell access, with researchers identifying contingency measures utilizing public file-sharing services tunneled through Tor for additional operational redundancy.
Despite its high degree of sophistication, IronWorm is not without shortcomings. Notably, a hardcoded cryptocurrency wallet recovery phrase was found in the binary, which was excluded from exfiltration routines—likely to safeguard the operator’s own financial assets—a critical oversight that may provide leads for attribution.
While most of the malicious npm packages and GitHub commits were swiftly removed following their discovery, some remnants remain, indicating that cleanup efforts may not have been entirely effective. The evolution of this campaign underscores a troubling trend toward increasingly automated, self-replicating supply chain attacks that seek to exploit developer trust and the systems they rely upon for their work. Organizations and developers must remain vigilant to protect against such sophisticated threats as the landscape continues to evolve.