Best crypto insights delivered straight to your inbox.
- A Rust infostealer called IronWorm hid in 36 npm packages from the Arweave ecosystem.
- The malware self-replicated and then pushed backdated malicious commits across nine organizations.
- Developers who installed affected packages should rotate all exposed secrets immediately.
Attackers planted an infostealer inside 36 npm packages linked to the Arweave ecosystem. It targeted developer credentials, SSH keys, and Exodus crypto wallet files. Security firm JFrog traced the attack back to a compromised maintainer account.
The malware is called IronWorm, and its built using Rust. It activates the moment a developer installs an npm package. Once running, it scans through the infected computer for 86 environment variables and 20 credential files, as JFrog’s research team found. It goes after AWS tokens, Anthropic and OpenAI API keys, npm authentication credentials, and crypto wallet data.
Arweave project packages carry hidden Rust malware
Attackers comproimised an npm account called “asteroiddao,” which belongs to the asteroid-dao GitHub group, part of the Arweave/WeaveDB decentralized database project.
All packages associated with the “asteroiddao” account were republished within a short time, with each new version containing a 976 KB Linux file located in a tools/ directory.
The file was set to run automatically through a preinstall hook in package.json, meaning it launched before npm even began installing anything. All a victim had to do was run npm install.
JFrog’s team pulled the file apart and found it had been packed in a way designed to fool standard unpacking tools. Inside was a large Rust program that kept its strings encrypted individually, with each one locked separately, making analysis much harder.
When those strings were finally decoded, they revealed GitHub API endpoints, paths to credential files, fake bot accounts linked to real GitHub user IDs, and templates for injecting malicious code into other package registries.
Stolen GitHub tokens let malware push commits and infect more repos
After harvesting credentials, IronWorm used them to push commits into repositories the victim could access. Those commits planted the same malicious binary into other packages, which could then be published to npm and compromise the next developer in the chain.
JFrog found 57 backdated malicious commits across nine GitHub organizations. The commits used the author name “claude” with the email [email protected]. Timestamps were forged to match each repository’s most recent legitimate commit. One appeared to date back 13 years, though GitHub Actions logs confirmed all pushes happened within a few days of discovery.
The affected organizations included asteroid-dao, weavedb, ArweaveOasis, and several personal accounts associated with the developer “ocrybit.”
IronWorm also deployed an eBPF kernel rootkit to hide on infected machines. Communications to its operator routed through the Tor network. The Rust compiler left the rootkit’s source code in the binary, an operational mistake that made analysis easier.
One oddity is that the operator hardcoded their own cryptocurrency wallet recovery phrase into the malware. JFrog concluded this was a safeguard to prevent the stealer from exfiltrating the attacker’s own credentials during testing.
Malware attacks keep hitting npm
Application security firm Ox Security said that the attack was caught early, before it could spread to more packages on npm.
The malicious versions were marked as deprecated within a day and most of the backdated commits were removed from GitHub shortly after.
On May 14, hackers exploited an inactive maintainer account for node-ipc, a package with more than 822,000 weekly downloads. The exploit was accomplished by re-registering the maintainer’s expired email domain and resetting the npm password. Three compromised variants had credential stealing payloads aimed at over 90 categories of developer secrets.
Security firms Endor Labs and StepSecurity identified a concurrent but distinct attack using JavaScript-based malware called binding.gyp, which performed similar registry poisoning and GitHub Actions infection during the same timeframe.
Developers who installed any of the affected WeaveDB packages should rotate all credentials, check lock files for unexpected version changes, and enable two-factor authentication on npm and GitHub accounts.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
What is IronWorm and how does it spread?
IronWorm is a Rust infostealer that executes during `npm install` via a preinstall hook. Once it has credentials, it uses stolen GitHub and npm tokens to push malicious commits into the victim's repositories.
Which npm packages were affected by the IronWorm attack?
The attack compromised 36 packages published under the "asteroiddao" npm account, all tied to the Arweave/WeaveDB ecosystem.
What credentials does IronWorm steal?
The malware targets 86 environment variables and 20 credential files. That includes AWS tokens, OpenAI and Anthropic API keys, npm authentication secrets, SSH keys, and Exodus crypto wallet files.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Randa Moses
Randa Moses is an editor and reporter at Cryptopolitan covering tech, AI, robotics, crypto, scams, and hacks. She has worked in the crypto space since 2017. She held roles at Forward Protocol, AmaZix, and Cryptosomniac. Randa holds a degree in Electrical and Electronics Engineering from the University of Bradford.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)