IronWorm npm Rust infostealer campaign

Summary

JFrog Security Research reported IronWorm on June 3, 2026: a self-replicating npm supply-chain campaign that starts from compromised developer/package-publisher access, ships a Linux Rust infostealer through npm preinstall, hides with an eBPF rootkit, communicates over Tor, and uses stolen GitHub / publishing access to plant itself into more repositories and npm packages.

This page tracks IronWorm as an operation and malware campaign. It is adjacent to Shai-Hulud / Mini Shai-Hulud tradecraft, but JFrog did not identify it as the same actor. Treat the overlap as shared operational pattern until stronger attribution appears.

Why this matters

IronWorm moves beyond JavaScript install scripts: the reported sample drops a native Linux ELF under tools/setup and executes it from npm preinstall.
The implant combines software-supply-chain propagation with endpoint stealth: Rust code, per-call-site string decryption, a modified UPX marker, Tor C2, and eBPF process / network hiding.
The campaign specifically targets developer and crypto/Web3 environments, including cloud, package-registry, source-control, Kubernetes, AI-provider, and wallet material.
JFrog observed 57 backdated malicious commits across nine organizations, showing that commit timestamps and bot-like author names are not reliable evidence of benign activity.

Reported chain

Initial npm finding

JFrog investigated npm packages published by the asteroiddao account, tied to the asteroid-dao GitHub organization in the Arweave / WeaveDB ecosystem.
JFrog used weavedb-sdk@0.45.3 as its walkthrough sample.
The malicious tarball copied legitimate package files and added a 976 KB Linux ELF at tools/setup.
package.json executed the binary through "preinstall": "./tools/setup", so installation ran the implant before normal dependency resolution.
JFrog reported the malicious versions were deprecated within about a day and most malicious GitHub commits were removed, though some remained visible after cleanup.

Repository poisoning and propagation

Recovered strings showed GitHub API use, branch names, commit messages, package-ecosystem injection templates, and bot identities designed to blend into maintenance activity.
JFrog found malicious commits with forged historical dates; the malware reportedly copied the timestamp of a repository's most recent legitimate commit so the added payload appeared old.
Observed payload commits used the author identity claude <claude@users.noreply.github.com>, mimicking an AI coding assistant.
JFrog reported 57 backdated malicious commits across nine organizations and tied the visible chain to a compromised ocrybit account with access to asteroid-dao and related repositories.
For package repositories, IronWorm can drop a binary into paths such as tools/setup or .github/scripts/precheck and alter build/install hooks across ecosystems including npm, PyPI, Cargo, Conan, and vcpkg-style C/C++ projects.
JFrog also found an unobserved but functional-looking workflow-replacement path: overwrite existing GitHub Actions workflows, serialize ${{ toJSON(secrets) }} into a harmless-looking artifact, pin legitimate actions by SHA, and attribute the change to familiar automation names such as Dependabot, Renovate, or GitHub Actions.

Trusted-publishing abuse

When running in CI, JFrog says the malware can request an OIDC identity token using npm trusted-publishing audience expectations.
It then exchanges that identity token through npm's /-/npm/v1/oidc/token/exchange/package/<pkg> endpoint for a short-lived package-scoped automation token.
The token can publish a trojanized release to registry.npmjs.org, meaning provenance or trusted-publishing evidence would need to be correlated with clean workflow inputs, not treated as a standalone allow signal.

Credential collection

JFrog reported collection of 86 environment variables across cloud providers, object storage, databases, source control, package registries, CI/CD, messaging platforms, Vault, Kubernetes, and AI / ML providers.
AI-related targets included credentials for Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI, and related services.
File targets included modern developer-tool paths such as ~/.claude/.credentials.json, ~/.codex/auth.json, ~/Cursor/auth.json, and ~/.gemini/settings.json, plus ~/.aws/credentials, ~/.kube/config, and ~/.docker/config.json.
JFrog also described wallet-focused theft: when wallet material is unlocked, a hook can collect the wallet password and recovery phrase and pass it to a local listener controlled by the malware.

Stealth and command channel

The Linux sample was a Rust release binary packed with a lightly modified UPX stub; the UPX! marker was overwritten to break default upx -d detection until restored.
JFrog reported per-call-site string encryption, increasing reverse-engineering cost because no single key decrypts all embedded strings.
The eBPF component hides processes from /proc listings and hides TCP connections from /proc/net/tcp and netlink views used by tools such as ss.
Kernel lockdown weakens the strongest hiding behavior because the memory rewrite helpers fail, making hidden processes and sockets visible again on hardened systems.
For C2, IronWorm downloads the Tor expert bundle, writes its own torrc, starts Tor, beacons to /api/agent, and receives commands over plain HTTP inside the Tor tunnel.
Reported command support includes secret upload, file download from operator-controlled infrastructure, and remote shell execution; JFrog also saw code suggesting a possible temp.sh fallback upload path, though it did not confirm use in the wild.

Defender heuristics

Repository and package review

Audit every repository reachable by a compromised developer or publisher account, including private repositories if audit visibility allows it.
Search for backdated commits, suspicious branches, unexpected binary additions, and build/install hook changes attributed to claude, dependabot[bot], renovate[bot], github-actions[bot], or other automation identities outside their normal behavior.
Do not trust commit age alone; compare GitHub Actions execution time, push events, and audit logs against commit author/committer timestamps.
For npm packages, diff new releases against prior known-good tarballs and flag native binaries added to paths such as tools/setup or .github/scripts/precheck.
Review PyPI setup.py, Cargo build.rs, Conan, vcpkg, and other build-system hooks for new subprocess execution or binary staging.

CI/CD and identity hunting

Hunt for workflows that write ${{ toJSON(secrets) }} or bulk secret material into files/artifacts, especially names resembling formatting, lint, metrics, or report output.
Treat pinned action SHAs as necessary but not sufficient; a malicious workflow can pin legitimate actions while exfiltrating secrets through allowed artifact channels.
Correlate npm trusted-publishing exchanges with expected branches, protected environments, release commits, and workflow definitions.
Rotate credentials only after preserving enough evidence to determine which repositories, packages, CI jobs, and cloud resources were reachable.

Endpoint and Linux controls

On developer and CI Linux hosts, investigate unexpected Tor downloads, torrc creation, tools/setup execution, and unknown Rust/ELF processes spawned by package installation.
Use kernel-lockdown and eBPF restrictions where operationally possible; JFrog's analysis indicates lockdown can break IronWorm's strongest process and socket hiding.
Prefer endpoint telemetry that does not rely only on /proc or netlink views that eBPF rootkits can filter.
Isolate suspected developer hosts before broad token rotation if active malware may still be collecting refreshed secrets.

Sources

JFrog Security Research: https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/