IronWorm Campaign Targets Developers Through Malicious npm Packages

IronWorm is a sophisticated, active supply-chain malware campaign observed trojanizing npm packages using compromised GitHub accounts to target software developers—especially in the crypto and web3 sectors. The threat consists of a heavily obfuscated Rust infostealer bundled with a modified UPX packer and an eBPF kernel rootkit for stealth, harvests a wide range of credentials (environment variables, cloud/Kubernetes/AI API keys), uses forged/backdated commits and CI impersonation to propagate, and communicates via Tor-based C2. Multiple npm packages tied to the Arweave/WeaveDB ecosystem were republished from a compromised account, and the report provides package-version indicators and mitigation steps such as auditing repositories, rotating keys, and unpublishing suspicious npm versions.