IronWorm npm supply-chain infection and self-propagation
Malware Activity
Summary
Hide ▲
Show ▼
The IronWorm malware has infected 36 npm packages, creating a supply-chain risk for developer and CI environments that can leak secrets and receive trojanized updates. It targets 86 environment variables and 20 credential files, including OpenAI, AWS, Anthropic, and npm credentials, plus SSH keys and Exodus wallet files. The malware also self-propagates by stealing publishing credentials, including secrets tied to npm Trusted Publishing, so a single compromise can spread to more packages.
Related Happenings
Asteroiddao hit by network compromise
Incident
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
How related:
According to JFrog, the latest attack started from a compromised account named ‘asteroiddao,’ which published package versions containing the Rust ELF binary executed via ‘preinstall,’ pushing malicious commits into repositories.
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentHow related: According to JFrog, the latest attack started from a compromised account named ‘asteroiddao,’ which published package versions containing the Rust ELF binary executed via ‘preinstall,’ pushing malicious commits into repositories.
About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Vpmdhaj npm preinstall credential-harvest campaign
Campaign
First: 29.05.2026 12:11
Last: 29.05.2026 12:11
Sources 1
About this happening:
A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Vpmdhaj npm preinstall credential-harvest campaign
CampaignAbout this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
04.06.2026 18:25 2 articles · 1h ago
IronWorm infects 36 npm packages
Initial DisclosureA supply-chain attack infected 36 npm packages with IronWorm, a Rust-based infostealer that hides behind an eBPF kernel rootkit, communicates over Tor, and targets 86 environment variables and 20 credential files that may hold OpenAI, AWS, Anthropic, npm, SSH, vault, and Exodus wallet secrets. The malware can self-propagate by abusing stolen npm publishing credentials, including Trusted Publishing secrets, to publish trojanized package versions that can reach additional developers and CI systems; Ox Security says the activity was detected very early and stopped before it spread to more popular packages, with guidance to upgrade to fixed releases, rotate keys, and enable 2FA.
Show sources
- New IronWorm malware hits 36 packages in npm supply-chain attack — www.bleepingcomputer.com — 04.06.2026 18:25
- New IronWorm malware hits 36 packages in npm supply-chain attack — www.bleepingcomputer.com — 04.06.2026 18:25