Skip to main content
Sign in

IronWorm npm Supply Chain Attack

avoid.net/ironworm-npm-supply-chain-attack0/100·87% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2aQTxX…QLA5

Summary

IronWorm is a Rust-based self-propagating malware campaign that compromised 36–37 npm packages in early June 2026 by exploiting a hijacked npm account ('asteroiddao') linked to the Arweave/WeaveDB ecosystem. The implant deploys an eBPF kernel rootkit, communicates over Tor, and includes a dedicated module targeting Exodus desktop wallet seed phrases and passwords. It self-replicates by abusing npm's Trusted Publishing flow and stolen GitHub Actions credentials to push backdated trojanized commits across at least nine GitHub organizations, making it one of the most technically sophisticated crypto-targeting supply chain attacks publicly documented to date.

Connected Entities

1 entities · 10 linked investigations
Organizations
IronWorm npm Supply Chain Attack
Relationships
    Also appears in
    edgeX Exchange·28Mach-O Man Malware Campaign (Lazarus / Chollima)·0Alephium Bridge·18Shunda Park Scam Compound·0Trenton Johnston·0Thorchain DEX·28Unicoin / Alex Konanykhin / Silvina Moschini·4Privvy Investments (Nathan Fuller)·2Lucifer Drainer·0node-gyp npm Supply Chain Compromise (June 2026)·0
    Have evidence about IronWorm npm Supply Chain Attack?

    Timeline(7 events)

    2026-05-14

    Separate node-ipc maintainer account compromise reported, part of the broader threat landscape targeting npm maintainers.

    Cryptopolitan

    2026-05-01

    Mini Shai-Hulud variant discovered, described as a precursor to IronWorm within the same malware family.

    CryptoTimes

    2026-06-04

    IronWorm publicly disclosed following SlowMist alert; malicious npm package versions detected under the 'asteroiddao' account targeting the Arweave/WeaveDB ecosystem.

    CryptoTimes / BleepingComputer

    2026-06-04

    Malicious npm package versions (36–37 packages) marked as deprecated within approximately one day of publication.

    Cryptopolitan

    2026-06-05

    JFrog Security Research publishes full technical analysis of IronWorm, naming it as 'Shai-Hulud's rustier cousin,' detailing eBPF rootkit, Tor C2, Trusted Publishing abuse, and hardcoded operator wallet recovery phrase.

    JFrog Security Research

    2026-06-05

    BleepingComputer and The Hacker News publish coverage; The Hacker News also reports the concurrent Miasma worm variant in the same npm attack wave.

    BleepingComputer / The Hacker News

    2026-06-05

    57 backdated malicious commits removed from the nine affected GitHub organizations, though some remain visible afterward.

    JFrog Security Research
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/18/2026, 5:03:33 PM

    last updated: 6/18/2026, 5:03:42 PM

    avoid.net — verified advice for a post-truth world