A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm.

The malware targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.

According to researchers at supply-chain and devops company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network.

The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow.

Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems.

This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks.

This opens the possibility that the new malware is an evolution of TeamPCP’s payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure."

According to JFrog, the latest attack started from a compromised account named ‘asteroiddao,’ which published package versions containing the Rust ELF binary executed via ‘preinstall,’ pushing malicious commits into repositories.

The commit author appears as “claude,” and the timestamps point to several years ago, up to 13 years in some cases, even though they were pushed in the past few days. This is likely to evade investigation.

One notable element in JFrog’s findings is a mechanism that relies on GitHub Actions to deliver the stolen secrets. JFrog explains that the malware serializes the secrets into a single value and then "writes it to a file with a harmless-looking name, as if it were lint or formatting output."

The last step of the process is uploading the file as a build artifact, which can be downloaded by anyone with access. This way, the threat actor can avoid the need for an external command-and-control (C2) altogether.

However, the researchers note that this delivery mechanism has not been used in the analyzed IronWorm supply-chain attack.

Another peculiarity discovered is that the operator hardcoded the recovery phrase of their own cryptocurrency wallet. The researchers say that the only reason for this is that the threat actor did not want the malware to steal it during the test stage.

Application security company Ox Security says that the IronWorm attack was detected very early and stopped before it spread to more popular packages on npm.

The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts.

At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.