IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets

IronWorm is a sophisticated supply-chain malware campaign targeting software developers via poisoned npm packages that silently execute a packed Rust infostealer. It uses an eBPF kernel-level rootkit to hide, communicates over Tor, exfiltrates a broad range of credentials (including crypto wallet recovery phrases and Kubernetes tokens), and self-propagates by using stolen GitHub credentials to create backdated commits and publish trojanized packages to npm; the report includes multiple IoCs and remediation recommendations.