Find notable cyber news and cases, enriched with sources, timelines, and signals.

IronWorm npm supply-chain infection and self-propagation

Malware Activity
First reported
Last updated
Happening score
H score 15
2 unique sources, 2 articles

Summary

Hide ▲

IronWorm is a Rust infostealer in a npm supply-chain activity that hides behind an eBPF kernel rootkit, communicates over Tor, and targets 86 environment variables and 20 credential files tied to OpenAI, AWS, Anthropic, npm, SSH, vaults, and Exodus wallet data. The initial intrusion was traced to the compromised asteroiddao account, and the malware has been observed using preinstall execution, stolen publishing credentials, and GitHub Actions-based secret movement to spread trojanized package versions. The activity infected 36 npm packages and was detected early enough to stop before it reached more popular packages.

Related Happenings

AsyncAPI malicious npm package supply-chain malware

Malware Activity
H score21 First: 15.07.2026 18:37 Last: 15.07.2026 18:37 Sources 1

About this happening: Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstr...

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity
H score29 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

About this happening: Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident
H score27 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

About this happening: The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojani...

Jscrambler hit by network compromise

Incident
H score15 First: 13.07.2026 22:44 Last: 13.07.2026 22:44 Sources 1

About this happening: The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed li...

Jscrambler 8.14.0 malicious preinstall infostealer release

Malware Activity
H score9 First: 11.07.2026 20:59 Last: 11.07.2026 20:59 Sources 1

About this happening: The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on ...

Timeline

  1. 04.06.2026 18:25 3 articles · 1mo ago

    IronWorm infects 36 npm packages

    Initial Disclosure

    A supply-chain attack infected 36 npm packages with IronWorm, a Rust-based infostealer that hides behind an eBPF kernel rootkit, communicates over Tor, and targets 86 environment variables and 20 credential files that may hold OpenAI, AWS, Anthropic, npm, SSH, vault, and Exodus wallet secrets. The malware can self-propagate by abusing stolen npm publishing credentials, including Trusted Publishing secrets, to publish trojanized package versions that can reach additional developers and CI systems; Ox Security says the activity was detected very early and stopped before it spread to more popular packages, with guidance to upgrade to fixed releases, rotate keys, and enable 2FA.

    Show sources