IronWorm is a Rust-based infostealer malware involved in a supply-chain attack targeting 36 packages on the npm registry. It steals sensitive environment variables and credential files including those for OpenAI, AWS, Anthropic, npm, vault configurations, SSH keys, and cryptocurrency wallets. The malware hides behind an eBPF kernel rootkit and communicates with its operator over the Tor network. It self-propagates by using stolen npm publishing credentials, including those linked to npm's Trusted Publishing workflow, to publish trojanized package versions. The attack originated from a compromised account named 'asteroiddao' and uses backdated Git commits to evade detection. It also leverages GitHub Actions for secret exfiltration, although this mechanism was not observed in the current attack. Early detection by security firms limited its spread. Remediation involves upgrading affected packages, rotating credentials, and enabling two-factor authentication.

The malware compromises developer and CI environments by stealing a wide range of sensitive credentials and environment variables, potentially exposing cloud service keys, cryptographic keys, and cryptocurrency wallets. This enables the attacker to publish malicious package versions that further propagate the infection within the npm ecosystem. The attack could lead to widespread credential theft and compromise of development pipelines. However, the attack was detected early and did not spread to highly popular packages, limiting its impact.

Security researchers recommend upgrading to fixed versions of the affected npm packages. Developers should rotate all potentially compromised keys and credentials. Enabling two-factor authentication (2FA) on all npm accounts is advised to prevent unauthorized publishing. Since this is a supply-chain attack, verifying package integrity before use is important. No official patch or vendor advisory is provided in the input; therefore, patch status is not yet confirmed — check vendor advisories for updates.