IronWorm npm Attack Steals Developer Secrets

IronWorm is a sophisticated supply-chain campaign that delivered packed Rust-based native binaries via malicious npm packages to compromise developer environments, harvest cloud/CI/AI/local credentials and crypto wallet data, and self-propagate by using stolen GitHub credentials to inject malicious commits and replace workflows; it also deploys an eBPF rootkit for stealth, abuses OIDC for ephemeral npm publishing, and uses Tor for C2, with active exploitation observed across multiple packages and organizations.