IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets

A newly discovered malware campaign called IronWorm has been silently targeting software developers through poisoned npm packages, stealing credentials, API keys, and even cryptocurrency wallet recovery phrases.

The attack is built to spread itself through trusted developer workflows, making it one of the more sophisticated supply-chain threats seen in recent years.

The malware travels inside packages that look completely legitimate at first glance. Attackers republished several npm packages from a compromised account, slipping a hidden Linux binary into each one.

The moment a developer runs npm install, the binary executes automatically, with no extra steps required. There is nothing to click and nothing to approve.

Security analysts at JFrog said in a report shared with Cyber Security News (CSN) that IronWorm is a custom-built, Rust-based infostealer that scrapes every secret it can find on a developer’s machine, hides behind a kernel-level rootkit, and communicates with its operator through the Tor network.

The campaign was caught in the wild and appeared to target software developers, with a particular focus on crypto and web3 builders.

What makes this threat stand out is how aggressively it spreads. After stealing credentials, IronWorm uses them to push backdated commits into the victim’s GitHub repositories, planting malware into other packages.

Those infected packages then get published to npm, where they can infect the next developer who installs them. The attack essentially uses the victim’s own identity to continue spreading further.

The scale of the campaign is notable too. Researchers found 57 backdated malicious commits spread across nine GitHub organizations.

Some of those commits were made to look years old by copying the timestamp of the repository’s last real commit, a trick designed to avoid raising suspicion during routine code reviews.

IronWorm Supply Chain Attack Uses Malicious npm Packages

IronWorm hides its malicious binary inside a folder path that most developers would never think to check. The binary is packed using a modified UPX tool, with the standard signature removed to prevent automated unpacking.

Once running, the malware decrypts its internal strings one at a time, using a different key at each location, which makes reverse engineering unusually slow and difficult.

The credential theft is broad and deliberate. The malware scans for 86 different environment variables covering cloud platforms, databases, CI/CD systems, source control tokens, and AI service API keys.

It also reads more than 20 credential file paths from disk, including wallet configs and authentication files from tools that became popular only recently.

One dedicated module targets the Exodus desktop wallet specifically, injecting code that captures the wallet password and recovery phrase at the moment the user unlocks it.

A separate module targets Kubernetes pods, reading service account tokens and dumping every secret it can reach.

The Rootkit and Self-Replication Mechanism

IronWorm carries an eBPF-based rootkit that hides its processes and network connections from standard system monitoring tools. This rootkit operates at the kernel level, rewriting process lists before any monitoring software can see them.

Commands like ps and top return clean results, while the malware continues running in the background. The rootkit also blocks attempts to attach a debugger to the malware process, and trying to do so can crash the shell running the command.

The self-replication through npm is equally well thought out. When the malware runs inside a CI environment, it uses npm’s own Trusted Publishing flow to get short-lived publish credentials.

It never needs a stored token. With those credentials, it publishes a trojanized version of the package to the npm registry just like any normal release would look.

Researchers recommend auditing every repository that a compromised account had write access to, checking for backdated commits, unexpected build hooks, and changes attributed to automation names like dependabot or github-actions outside their usual context.

All API keys and secrets tied to the affected account should be rotated immediately, and malicious package versions should be unpublished with a clear security advisory issued to warn downstream users.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Commit Author Email	[email protected]	Fake author identity used for malicious backdated commits
npm Package	[email protected]	Malicious npm package (XRAY-989671)
npm Package	[email protected]	Malicious npm package (XRAY-989492)
npm Package	[email protected]	Malicious npm package (XRAY-989648)
npm Package	[email protected]	Malicious npm package (XRAY-989666)
npm Package	[email protected]	Malicious npm package (XRAY-989571)
npm Package	[email protected]	Malicious npm package (XRAY-989594)
npm Package	[email protected]	Malicious npm package (XRAY-989617)
npm Package	[email protected]	Malicious npm package (XRAY-989784)
npm Package	[email protected]	Malicious npm package (XRAY-989764)
npm Package	[email protected]	Malicious npm package (XRAY-989681)
npm Package	[email protected]	Malicious npm package (XRAY-989760)
npm Package	[email protected]	Malicious npm package (XRAY-989766)
npm Package	[email protected]	Malicious npm package (XRAY-989752)
npm Package	[email protected]	Malicious npm package (XRAY-989779)
npm Package	[email protected]	Malicious npm package (XRAY-989547)
npm Package	[email protected]	Malicious npm package (XRAY-989747)
npm Package	[email protected]	Malicious npm package (XRAY-989781)
npm Package	[email protected]	Malicious npm package (XRAY-989754)
npm Package	[email protected]	Malicious npm package (XRAY-989761)
npm Package	[email protected]	Malicious npm package (XRAY-989753)
npm Package	[email protected]	Malicious npm package (XRAY-989762)
npm Package	[email protected]	Malicious npm package (XRAY-989758)
npm Package	[email protected]	Malicious npm package (XRAY-989756)
npm Package	[email protected]	Malicious npm package (XRAY-989775)
npm Package	[email protected]	Malicious npm package (XRAY-989773)
npm Package	[email protected]	Malicious npm package (XRAY-989783)
npm Package	[email protected]	Malicious npm package (XRAY-989641)
npm Package	[email protected]	Malicious npm package (XRAY-989771)
npm Package	[email protected]	Malicious npm package (XRAY-989765)
npm Package	[email protected]	Malicious npm package (XRAY-989767)
npm Package	[email protected]	Malicious npm package (XRAY-989769)
npm Package	[email protected]	Malicious npm package (XRAY-989787)
npm Package	[email protected]	Malicious npm package (XRAY-989790)
npm Package	[email protected]	Malicious npm package (XRAY-989751)
npm Package	[email protected]	Malicious npm package (XRAY-989772)
npm Package	[email protected]	Malicious npm package (XRAY-989785)
npm Package	[email protected]	Malicious npm package (XRAY-989789)
Commit Message	fix: resolve lint warnings	Fake commit message used to blend in as routine maintenance
Commit Message	test: add missing edge cases	Fake commit message used to blend in as routine maintenance
Commit Message	ci: update workflow configuration	Fake commit message used to blend in as routine maintenance
Commit Message	fix: address review feedback	Fake commit message used to blend in as routine maintenance
Commit Message	docs: update contributing guide	Fake commit message used to blend in as routine maintenance
Commit Message	chore: sync lockfile	Fake commit message used to blend in as routine maintenance
Commit Message	fix: handle null pointer case	Fake commit message used to blend in as routine maintenance
Commit Message	build: bump patch version	Fake commit message used to blend in as routine maintenance
Commit Message	chore: update dependencies	Fake commit message used to blend in as routine maintenance
Crypto Wallet Address	0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6	Operator’s Ethereum wallet address derived from hardcoded recovery phrase
C2 Endpoint	/api/agent	Tor-based command and control endpoint used by IronWorm
File Path	tools/setup	Hidden malicious binary path inside infected npm packages

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.