IronWorm Malware Campaign Targets Developers via Poisoned npm Packages A sophisticated malware campaign, dubbed IronWorm, has been discovered targeting software developers particularly those in crypto and web3 through malicious npm packages. The attack leverages compromised developer workflows to steal credentials, API keys, and cryptocurrency wallet recovery phrases, while spreading autonomously via trusted supply-chain channels. ### How the Attack Works IronWorm infiltrates systems by hiding a Rust-based infostealer inside seemingly legitimate npm packages. When a developer runs `npm install`, the malware executes automatically, requiring no user interaction. The threat actor republished multiple npm packages from a hijacked account, embedding a hidden Linux binary in each. Once active, IronWorm employs a kernel-level rootkit to evade detection, masking its processes and network activity from standard monitoring tools like `ps` and `top`. It communicates with its operator via the Tor network and uses obfuscation techniques, including a modified UPX packer and per-string decryption, to hinder reverse engineering. ### Credential Theft & Self-Replication The malware aggressively harvests sensitive data, scanning for 86 environment variables (covering cloud platforms, CI/CD systems, and AI service keys) and 20+ credential file paths, including wallet configurations. A dedicated module targets the Exodus desktop wallet, capturing passwords and recovery phrases upon unlock. Another module extracts Kubernetes service account tokens from pods. IronWorm’s most dangerous feature is its self-replicating mechanism. After stealing credentials, it uses them to push backdated malicious commits into victims’ GitHub repositories, disguising them as routine maintenance (e.g., "fix: resolve lint warnings"). These infected packages are then published to npm, creating a supply-chain loop that spreads the malware further. Researchers identified 57 backdated commits across nine GitHub organizations, some timestamped years in the past to avoid scrutiny. ### Scope & Indicators of Compromise The campaign has impacted dozens of npm packages, including: - `[email protected]` - `[email protected]` - `[email protected]` - `[email protected]` Malicious commits were attributed to a fake GitHub email (`[email protected]`), and the operator’s Ethereum wallet address (`0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6`) was hardcoded in the malware. The C2 endpoint (`/api/agent`) operates over Tor, and the malicious binary resides in a hidden path (`tools/setup`). ### Mitigation & Response Security firm JFrog recommends auditing repositories for backdated commits, unexpected build hooks, and unauthorized automation activity. All compromised API keys and secrets should be rotated immediately, and affected npm packages should be unpublished with security advisories issued. The attack underscores the growing threat of supply-chain compromises, where trusted developer tools become vectors for large-scale credential theft and malware propagation.