Question 1

What is IronWorm and how does it spread?

Accepted Answer

IronWorm is a Rust-based infostealer that executes during `npm install` via a preinstall hook. Once it has credentials, it uses stolen GitHub and npm tokens to push malicious commits into the victim's repositories. Other developers who install those compromised packages get infected next.

Question 2

Which npm packages were affected by the IronWorm attack?

Accepted Answer

The attack compromised 36 packages published under the "asteroiddao" npm account, all tied to the Arweave/WeaveDB ecosystem. That includes weavedb-sdk version 0.45.3 and related packages listed in JFrog's research disclosure.

Question 3

What credentials does IronWorm steal?

Accepted Answer

The malware targets 86 environment variables and 20 credential files. That includes AWS tokens, OpenAI and Anthropic API keys, npm authentication secrets, SSH keys, and Exodus cryptocurrency wallet files.

JFrog

Attackers trojanized Arweave’s WeaveDB npm package to deploy malware

One sharp brief.
Every day.

JFrog

Attackers trojanized Arweave’s WeaveDB npm package to deploy malware

One sharp brief.Every day.

One sharp brief.
Every day.