Key Takeaways:
A Rust-based worm called IronWorm compromised at least 36 npm packages in the Arweave ecosystem, stealing developer credentials and using them to self-propagate across GitHub repositories before vanishing.
JFrog Security Research identified the campaign while investigating suspicious activity linked to a developer account within the Arweave and WeaveDB open source ecosystem. The malware, written in Rust, harvests API keys, cloud credentials, SSH keys, and npm publishing tokens from infected developer machines, then reuses those credentials to push malicious code to other repositories.
"The closest comparison is the Shai-Hulud campaign," JFrog's research team said in a report published Wednesday. "The malware we reviewed shares a lot with it: the same idea of compromising developers, stealing credentials, and using trusted software-supply-chain workflows to spread further." But IronWorm takes the concept "to the next level," the researchers added.
The attacker made at least 57 malicious code changes across repositories belonging to nine organizations, backdating the commits to obscure the timeline of compromise. Some contributions were attributed to Anthropic's Claude AI model using the email "claude@users.noreply.github.com" despite bearing timestamps as old as 13 years. GitHub Action logs revealed the commits were actually pushed by the compromised ocrybit user, JFrog said. OX Security, which also tracked the campaign, said the affected packages had more than 32,000 combined monthly downloads before the threat was mitigated.
A Custom Implant With No Known Precedent
JFrog said the IronWorm payload matched no known infostealer, eBPF rootkit, or command-and-control framework in its database. The binary contains thousands of functions with encrypted strings that could only be recovered at runtime, each using unique decryption parameters rather than a single hardcoded key.
The malware targets 86 environment variables across cloud providers, AI services, and cryptocurrency platforms. It scrapes credentials for Amazon Web Services, Docker, Kubernetes, npm, and vault configurations, as well as API keys for AI services including Anthropic, OpenAI, Google Gemini, Cohere, Mistral, Groq, Perplexity, and xAI. It also targets the Exodus desktop cryptocurrency wallet — though the attacker hardcoded their own wallet's BIP-39 recovery phrase to prevent the malware from touching it, a detail JFrog traced to a near-empty test wallet holding a few cents of dust.
IronWorm uses an eBPF payload that functions as a Linux kernel rootkit to hide malicious processes, files, and network activity from security systems. On systems where kernel lockdown is enabled, the process-hiding tricks fail and the activity becomes visible again, JFrog noted. The malware communicates with its operator over Tor and accepts commands for uploading secrets, dropping files, and running remote shells.
Self-Propagation Through Trusted Publishing
The attack chain began with a compromised npm account named "asteroiddao," which published package versions containing a Rust ELF binary executed via a preinstall hook. In CI environments, the malware abused npm's Trusted Publishing flow — obtaining an OIDC token from the developer's CI environment to push poisoned versions to the registry without needing npm credentials.
The malicious payload also swapped existing GitHub Actions workflows for a version capable of harvesting secrets, writing them to a harmless-looking file, and uploading it as a build artifact — eliminating the need for an external C2 server for data exfiltration. The attacker then silently removed the malicious packages from GitHub within a day of publishing them, JFrog said.
The campaign echoes the Shai-Hulud worm deployed by the TeamPCP cybercrime group, which previously compromised the Trivy security scanning tool and other projects to deploy infostealers targeting CI/CD secrets. But IronWorm is written in Rust rather than JavaScript, making it significantly harder to reverse-engineer. JFrog said it "can't know for sure" whether IronWorm is directly related to TeamPCP or a copycat.
The attack underscores how developer environments have become prime targets for supply chain compromise. By compromising a single developer, threat actors can introduce malicious code into trusted software projects and reach numerous downstream organizations. Organizations that may have been affected should audit repositories for commits from the ocrybit account, rotate all keys and secrets available to the compromised account, and check published npm packages for malicious versions, JFrog said.
This article is for informational purposes only and does not constitute investment advice.
