IronWorm Supply Chain Attack Steals Dev Secrets via npm

A new malware campaign, dubbed IronWorm, is actively targeting software developers. This stealthy operation leverages poisoned npm packages to steal sensitive data, including credentials, API keys, and cryptocurrency wallet recovery phrases.

The attack is built to spread itself through trusted developer workflows, making it one of the more sophisticated supply-chain threats seen in recent years.

The malware travels inside packages that look completely legitimate at first glance. Attackers republished several npm packages from a compromised account, slipping a hidden Linux binary into each one.

The moment a developer runs npm install, the binary executes automatically, with no extra steps required. There is nothing to click and nothing to approve.

Security analysts at JFrog said in a report shared with Cyber Security News (CSN) that IronWorm is a custom-built, Rust-based infostealer that scrapes every secret it can find on a developer’s machine, hides behind a kernel-level rootkit, and communicates with its operator through the Tor network.

The campaign was caught in the wild and appeared to target software developers, with a particular focus on crypto and web3 builders.

What makes this threat stand out is how aggressively it spreads. After stealing credentials, IronWorm uses them to push backdated commits into the victim’s GitHub repositories, planting malware into other packages.

Those infected packages then get published to npm, where they can infect the next developer who installs them. The attack essentially uses the victim’s own identity to continue spreading further.

The scale of the campaign is notable too. Researchers found 57 backdated malicious commits spread across nine GitHub organizations.

Some of those commits were made to look years old by copying the timestamp of the repository’s last real commit, a trick designed to avoid raising suspicion during routine code reviews.

IronWorm Supply Chain Attack Uses Malicious npm Packages

IronWorm hides its malicious binary inside a folder path that most developers would never think to check. The binary is packed using a modified UPX tool, with the standard signature removed to prevent automated unpacking.

Once running, the malware decrypts its internal strings one at a time, using a different key at each location, which makes reverse engineering unusually slow and difficult.

The credential theft is broad and deliberate. The malware scans for 86 different environment variables covering cloud platforms, databases, CI/CD systems, source control tokens, and AI service API keys.

It also reads more than 20 credential file paths from disk, including wallet configs and authentication files from tools that became popular only recently.

One dedicated module targets the Exodus desktop wallet specifically, injecting code that captures the wallet password and recovery phrase at the moment the user unlocks it.

A separate module targets Kubernetes pods, reading service account tokens and dumping every secret it can reach.

The Rootkit and Self-Replication Mechanism

IronWorm carries an eBPF-based rootkit that hides its processes and network connections from standard system monitoring tools. This rootkit operates at the kernel level, rewriting process lists before any monitoring software can see them.

Commands like ps and top return clean results, while the malware continues running in the background. The rootkit also blocks attempts to attach a debugger to the malware process, and trying to do so can crash the shell running the command.

The self-replication through npm is equally well thought out. When the malware runs inside a CI environment, it uses npm’s own Trusted Publishing flow to get short-lived publish credentials.

It never needs a stored token. With those credentials, it publishes a trojanized version of the package to the npm registry just like any normal release would look.

Researchers recommend auditing every repository that a compromised account had write access to, checking for backdated commits, unexpected build hooks, and changes attributed to automation names like dependabot or github-actions outside their usual context.

All API keys and secrets tied to the affected account should be rotated immediately, and malicious package versions should be unpublished with a clear security advisory issued to warn downstream users.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.